/* matching hex values and string values and filesize */
rule this_program_cannot
{
meta:
	author = "sir"
	date = "20110429"
	type = "PE"
	description = "Executable file detection using hex values at offset"
	trigger = "true"
strings:
	$a = { 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 }
condition:
	$a at 78
}

rule this_program_also_cannot
{
meta:
	author = "sir"
	date = "20110429"
	type = "PE"
	description = "Executable file"
	trigger = "false"
strings:
	$a = "DOS"
condition:
	$a
}

rule filesize_match
{
meta:
	author = "sir"
	date = "20110429"
	type = "PE"
	description = "Executable file size match"
	trigger = "false"
condition:
	filesize > 200KB
}