Hi everyone,
Is there a way to get the length of a string in YARA-L? For example, I'd like to alert on DNS queries longer than a certain threshold.
Page 1 / 1
Lunch break helped, I found a workaround with regex, at least for my case:
events:
$dns.metadata.event_type = "NETWORK_DNS"
$dns.network.dns.questions.name = $dns_query
// DNS Query at least 100 characters long
$dns_query = /\\S{100,}/
Great call out! I will add that if someone wanted to do this in search they could use the same technique.
metadata.event_type = "NETWORK_DNS" and network.dns.questions.name = /\\S{100,}/
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.