LinkedIn
Twitter
Let's look at two complementary functions that allow us to quickly and easily convert the case of a value. This can be helpful when dealing with fields that contain values with variability in capitalization when compared to other data sources or lists.
CIDR reference lists follow the same concepts of string reference lists but have a very specific purpose. That purpose is to identify blocks of IP addresses based on CIDR notation rather than individual IP addresses. The syntax is very similar, we specify in our events section the UDM field name followed by in cidr %list_name.
The string functions, strings.to_upper and strings.to_lower provide another method to work with values where case is variable. We’ve previously discussed the nocase modifier, but this time we will use both the functions and the modifier into practice. The syntax for our functions is strings.to_lower (or to_upper) followed by the field name prepended with the event variable. These functions can be used to compare a field to a value or can be nested as part of some additional criteria.
Follow along in the video below to see how these string conversion functions can be used in a YARA-L rule.
String case conversion functions provide additional flexibility when working with fields and values that may have upper, lower or mixed case in them. This can extend into disparate events where a join is needed to link those fields together. The syntax for these functions requires the function and the field that is being converted and can be used as a comparison against a value like this or the function can be nested with other functions. nocase is another option we have as well, so know that the functions and nocase are both available and choose the one that is best for your needs.
Check out these additional resources with more information and learning opportunities: