Mark Fortescue wrote:
Hi

I know nothing about YARA but you could try escaping the hash in case it is being treated as a comment line.

e.g  \#a > 1

The comment metasymbol for Yara rules is "//", but I tried this anyway as a long shot:

$ clamscan -d foo.yar
LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\'
LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error count 1

pretty much as expected.

The rule is syntactically correct, otherwise Clam would throw a fit.

The ClamAV signature-writing guide makes no mention of this Yara feature being disabled, limited, or otherwise not implemented to match the Yara docs from http://yara.readthedocs.io/en/v3.5.0/; it *does* mention some other specific limits so I would assume this should be working.

I don't think this is related to Clam's requirement for two-byte fixed references in patterns in all other pattern-matching signature types, since I have another Yara rule for a series of obfuscated Javascript that uses a similar type of regex pattern.

-kgd



Regards
     Mark.

On 14/03/18 20:47, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML.  I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.

I've narrowed it down to an issue with the "#" condition variant.

For a rule like so:

rule badstyle {
   strings:
     $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
   condition:
     #a > 1
}

and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message.  (Note, this isn't what I'd use as a live signature!)

If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.

Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above.  Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.

-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to