DEV IN PROGRESS

Some differences between ROST and YARA

Removed keywords

No import keyword

Generic size for strings

Some differences between ROST and YARA

The ROST grammar is mostly compatible with the YARA grammar.

However, even if the final features are quite the same between the two tools, the grammars may differ a little bit: optimizations make some keywords useless, semantic get some extension, aso.

This page aims to list the major differences any user should know.

Removed keywords

No import keyword

There is no need to explicitly import modules with ROST. Modules are registered for use at startup, with no significant perfomance cost, and get then available for filtering.

The YARA's import keyword is thus supported by ROST for compatibility reasons, but it is ignored.

For instance, the few following lines build a valid rule definition (even if it is suboptimal):

Example:

rule KeepPeFiles

{

    condition:

        // Check for MZ header

        hash.md5(0, 2) == "ac6ad5d9b99757c3a878f2d275ace198"

}

Generic size for strings

As strings are handled as characters sequences if needed, there is no need of a specialized length() inside the string core module.

Instead, the generic count() function can be used to compute the size of a given string.

Example:

rule StringLength

{

    condition:

        // Compute the length of a string

        count("123") == 3

}

A strings are bytes sequences, any nul bytes is taken into account.