Mark Fortescue wrote:
Hi
I know nothing about YARA but you could try escaping the hash in case it
is being treated as a comment line.
e.g \#a > 1
The comment metasymbol for Yara rules is "//", but I tried this anyway
as a long shot:
$ clamscan -d foo.yar
LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\'
LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error
count 1
pretty much as expected.
The rule is syntactically correct, otherwise Clam would throw a fit.
The ClamAV signature-writing guide makes no mention of this Yara feature
being disabled, limited, or otherwise not implemented to match the Yara
docs from http://yara.readthedocs.io/en/v3.5.0/; it *does* mention some
other specific limits so I would assume this should be working.
I don't think this is related to Clam's requirement for two-byte fixed
references in patterns in all other pattern-matching signature types,
since I have another Yara rule for a series of obfuscated Javascript
that uses a similar type of regex pattern.
-kgd
Regards
Mark.
On 14/03/18 20:47, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule badstyle {
strings:
$a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
condition:
#a > 1
}
and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message. (Note, this isn't what I'd use as a live signature!)
If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.
Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above. Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
