LinkedIn
Twitter
Today we will go deeper into using regular expressions in rules with the introduction of the function re.capture.
re.capture provides us a way to extract a portion of a value within a field. From there, we can compare that portion to another value, write the captured value to a placeholder and even use it with an outcome variable that can be outputted. The syntax for re.capture will generally be a field name followed by the expression that we are trying to match and within that expression there will be parentheses that will denote what is being captured. For those not very familiar with this don’t worry, we will walk through an example. Like other functions, the capture value can be nested and used with other functions.
Follow along in the video below to see how re.capture can be used in a YARA-L rule.
re.capture allows us to capture a portion of a value that can be used for comparison or applied elsewhere in our rule. The syntax contains both the field and the regex expression and remember that parentheses are used to capture the portion of the string you want. Finally, these values can be used elsewhere once captured or we can nest re.capture with other functions.
Check out these additional resources with more information and learning opportunities: