Skip to main content
Solved

Use string length in YARA-L rule

  • December 7, 2023
  • 2 replies
  • 38 views
L
Forum|alt.badge.img+4

Hi everyone,

Is there a way to get the length of a string in YARA-L? For example, I'd like to alert on DNS queries longer than a certain threshold.

Best answer by lukas-lr

Lunch break helped, I found a workaround with regex, at least for my case:

events: $dns.metadata.event_type = "NETWORK_DNS" $dns.network.dns.questions.name = $dns_query // DNS Query at least 100 characters long $dns_query = /\\S{100,}/

2 replies

L
Forum|alt.badge.img+4
  • lukas-lrBronze 2
  • Author
  • Bronze 2
  • Answer
  • December 7, 2023

Lunch break helped, I found a workaround with regex, at least for my case:

events: $dns.metadata.event_type = "NETWORK_DNS" $dns.network.dns.questions.name = $dns_query // DNS Query at least 100 characters long $dns_query = /\\S{100,}/
jstoner
I
mokatsu
jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • December 7, 2023

Great call out! I will add that if someone wanted to do this in search they could use the same technique.

metadata.event_type = "NETWORK_DNS" and network.dns.questions.name = /\\S{100,}/
mokatsu
L
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.