[Forensics-changes] [yara] 73/407: Improve atom quality calculation
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit f37e97eab1522268ac5583ec921d864e4b3157ce
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Fri Sep 26 14:07:24 2014 +0200
Improve atom quality calculation
By avoiding bytes 0x00 and 0xFF at the beginning of the atom a 8x speedup was observed with a very large set of rules.
---
libyara/atoms.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/libyara/atoms.c b/libyara/atoms.c
index 3e5c185..2b89424 100644
--- a/libyara/atoms.c
+++ b/libyara/atoms.c
@@ -106,7 +106,7 @@ int _yr_atoms_quality(
uint8_t* atom,
int atom_length)
{
- int common_bytes = 0;
+ int penalty = 0;
int unique_bytes = 0;
int is_unique;
int i, j;
@@ -114,7 +114,23 @@ int _yr_atoms_quality(
for (i = 0; i < atom_length; i++)
{
if (atom[i] == 0x00 || atom[i] == 0xFF)
- common_bytes++;
+ {
+ // Penalize common bytes like 0x00 and 0xFF, specially if they are
+ // in the first two positions.
+
+ switch(i)
+ {
+ case 0:
+ penalty += 3;
+ break;
+ case 1:
+ penalty += 2;
+ break;
+ default:
+ penalty += 1;
+ break;
+ }
+ }
is_unique = TRUE;
@@ -129,7 +145,7 @@ int _yr_atoms_quality(
unique_bytes += 1;
}
- return atom_length + unique_bytes - common_bytes;
+ return atom_length + unique_bytes - penalty;
}
//
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list