Superrule generation logic

[kryponix]

Hi,
Is it possible that the super-rule generation condition is inverted?
Inspecting the code, there's a condition that practically (unless there're at least 20 rules by default) stops the code from generating a super-rule (...if len(combinations[combi]["strings"]) >= int(args.rc):..).
Inverting the condition, allows the script to generate super-rules. It seems to me that args.rc, as described by the documentation shouldn't be playing that role in that condition.
I do agree that simply inverting the condition, might be a simplistic approach and that, of course, I just landed in the code and did not try it throughly, and will be more likely missing sth.
But reality is that the script does not generate super-rules even in cases where it should (I don't expect a super-rule covering dozens of (similar) samples to have more than 20 rules).
And as I stated before, it seems args.rc is being used with two different meanings (maximum number of strings for simple rules, (sort of a) minimum for super-rules.
Pls, forget me if I made a basic mistake (I'm not proficient in Python).
Thanks in advance for your help.

[Neo23x0]

No. Everything works as expected.
As super rule is only generated if a minimum number of strings can be found in all samples.
That minimum number of strings is the "-rc" parameter.
So, if yarGen is ordered to extract 40 strings from a file and include them in a rule with "-rc 40", it requires 40 strings that can be found in all samples to create a rule for these samples.

[kryponix]

Thanks, Yep, I see that. But I can't stop wondering the semantics. What I wanted to point out is that the same parameter is used for single and super rules in the same run. Therefore, if I apply yaraGen over 10 samples and get, let's say, 10 simple rules with 12 strings each, I don't expect the super rule to have 12 strings minimum. I'd be more than happy to have a super rule with, let's say, 9 common strings for all samples, no? At least as an alternative to nothing. El mié., 17 jul. 2019 a las 12:54, Florian Roth (<notifications@github.com>) escribió:

…

No. Everything works as expected. As super rule is only generated if a minimum number of strings can be found in all samples. That minimum number of strings is the "-rc" parameter. So, if yarGen is ordered to extract 40 strings from a file and include them in a rule with "-rc 40", it requires 40 strings that can be found in all samples to create a rule for these samples. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#22?email_source=notifications&email_token=AMULO6AS72H6VKOWWFRV2QLP7327LA5CNFSM4IEOVS7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2D2DGQ#issuecomment-512205210>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMULO6BMZHWYZOLFMVR2CLTP7327LANCNFSM4IEOVS7A> .

[Neo23x0]

I've changed that behaviour in the latest commit.
Use -w to set a number of overlapping strings. (default is 5)

We have to test that behaviour now. I am not sure that this doesn't have any side effects.