External global variables

Rules can reference external variables that are defined at compile time. For instance, consider the following rule:

rule VariableExample1 {
    condition:
        ext_var == 10
}

Here, ext_var is an external variable that is defined when the rule is compiled with the --define ext_var=VALUE flag.

External variables can be integers, strings, or booleans. Integer variables can replace integer constants in conditions, while boolean variables can act as boolean expressions. For example:

rule VariableExample2 {
    condition:
        bool_ext_var or filesize < int_ext_var
}

The above rule may be compiled with the flags -d bool_ext_var=true -d int_ext_var=100 for example.

External variables of type string can be used with any operators that works on strings, like contains, startswith, endswith, etc. Let’s see some examples:

rule ContainsExample {
    condition:
        string_ext_var contains "text"
}

rule CaseInsensitiveContainsExample {
    condition:
        string_ext_var icontains "text"
}

rule StartsWithExample {
    condition:
        string_ext_var startswith "prefix"
}

rule EndsWithExample {
    condition:
        string_ext_var endswith "suffix"
}

rule MatchesExample {
    condition:
        string_ext_var matches /[a-z]+/
}

The rules above could be compiled with the flag -d string_ext_var=\"Hello\" for example.

Every external variable used in your rules must be defined at compile time. This can be done using the --define VAR=VALUE option (or -d VAR=VALUE) in the command-line tool, or by using the appropriate API. (Like this one in Rust or this one in Python.)