Starting Your Yara Rule With a Wild Card

Posted: September 22nd, 2012 | Author: | Filed under: IT Related | Tags: , , | No Comments »

I’ve worked on an update of BlackHole rule yesterday, after seeing new patterns appear on BlackHole 2 which is different compare to the initial release of BlackHole 2. Samples were downloaded from MalwareDomainList and Contagiodump.

These new changes require me to use extreme regex for the detection. I’ve accidentally start one of the regex with a wild card and on the dry run test, I’m very disappointed with the performance. Lets see the time taken:

After performing some tweak to the regex, so here is the screenshot of the time taken:

What a different!!

So as for the advice, please read Yara PerformanceGuidelines documentation to get the best performance for your rule.

For MyYaraSIG members, you may refer to commit 8b12d51463

Thanks

Update

Btw, don’t you wanna know the detection rate in virustotal? 🙂



Leave a Reply