Counting number of times strings match in YARA with awk...
wxs@wxs-mbp yara % cat rules/test.yara
rule a { strings: $a = "FreeBSD" nocase $b = "usage: " condition: any of them }
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls
a /bin/ls
0xb8e1:$a: FreeBSD
0xb9a1:$a: FreeBSD
0xb9f1:$a: FreeBSD
0xba41:$a: FreeBSD
0x1b8f1:$a: FreeBSD
0x1b99d:$a: FreeBSD
0x1b9e0:$a: FreeBSD
0x1ba27:$a: FreeBSD
0xbf1c:$b: usage:
0x1bf02:$b: usage:
wxs@wxs-mbp yara % cat count.awk
#!/bin/awk -f
!/^0x/ {
if (length(strings) > 0) {
for (string in strings) {
print string ": " strings[string];
}
}
delete strings
print;
}
/^0x/ {
split($1, fields, ":");
strings[fields[2]]++;
}
END {
for (string in strings) {
print string ": " strings[string];
}
}
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls | awk -f count.awk
a /bin/ls
$a: 8
$b: 2
wxs@wxs-mbp yara %
And run against all of /bin on my laptop:
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin | awk -f count.awk
a /bin/wait4path
$b: 2
a /bin/cat
$a: 2
$b: 2
a /bin/df
$a: 4
$b: 2
a /bin/sleep
$a: 2
$b: 2
a /bin/test
$a: 2
a /bin/stty
$a: 14
$b: 2
a /bin/link
$a: 2
$b: 2
a /bin/dd
$a: 12
a /bin/mkdir
$a: 2
$b: 2
a /bin/ps
$a: 6
$b: 2
a /bin/hostname
$a: 2
$b: 2
a /bin/rmdir
$a: 2
$b: 2
a /bin/mv
$a: 2
$b: 2
a /bin/ln
$a: 2
$b: 2
a /bin/ed
$a: 14
$b: 2
a /bin/cp
$a: 4
$b: 4
a /bin/pax
$b: 6
a /bin/ls
$a: 8
$b: 2
a /bin/rm
$a: 2
$b: 2
a /bin/chmod
$a: 2
a /bin/unlink
$a: 2
$b: 2
a /bin/echo
$a: 2
a /bin/date
$a: 6
$b: 2
a /bin/dash
$b: 2
a /bin/kill
$a: 2
$b: 2
a /bin/[
$a: 2
a /bin/pwd
$a: 2
$b: 2
a /bin/bash
$b: 2
wxs@wxs-mbp yara %