On Thu, 30 Jun 2016 11:26:07 -0400 Steven Morgan <[email protected]> wrote:
> On Thu, Jun 30, 2016 at 10:06 AM, Axb <[email protected]> wrote: > > > > > When trying to use filesize conidtion in a Yara sig > > > > rule FileSize_200KB > > { > > condition: > > filesize < 200KB > > } > > > > > Hi, > > That is correct. ClamAV uses matching of yara strings to drive the > yara condition. filesize will work in a yara condition in ClamAV, but > only when there is a string match. I'd suppose something like this > should work: > > rule Filesize_200KB > { > strings: > $abc = "abc" > > condition: > ($abc and not $abc) and filesize < 200KB > } > > > Steve > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > Shouldn't exactly one 'and' be an 'or' in: "($abc and not $abc) and filesize < 200KB" _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
