from:"Wesley Shields"

Re: how to output yara rule file information in C language

2021-05-24 Thread Wesley Shields

metas is a pointer to a YR_META structure 
(https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/types.h#L225).
 You can see how yara handles it when printing metadata about a rule here: 
https://github.com/VirusTotal/yara/blob/master/cli/yara.c#L1004

-- WXS

> On May 22, 2021, at 4:51 AM, 95 Daoge  wrote:
> 
> exampe:
> rule test_file
> {
>   meta:
>   author = "test"
>   description = "test mete display"
>   date = "20210522"
>   condition:
>   true
> }
> 
> use 
> yr_rule_metas_foreach(p, metas){
> printf("the message is :%s\n",metas->identifier);
> }
> i can only output :author descri and date but i want output 
> author = "test"
> description = "test mete display"
> date = "20210522"
> 
> is this possible?
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/000550e7-b234-45af-981f-0ab94464b4f8n%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/AE4AD0BF-0223-48B8-AB72-5B0842956865%40atarininja.org.

Re: Yara rule: how to detect unsupported PE file for Windows 10?

2021-03-09 Thread Wesley Shields

The string you are highlighting is not indicative of a file running on Windows 
10 or not. That string is in the DOS stub, which is executed when you try to 
run the program under DOS. Why this particular file is not running on your 
system is a different issue but it has nothing to do with that string. In fact, 
that particular string is common across all delphi language executables. One 
option to detect it is to share a hash of the file so people can inspect it and 
see what is really going on.

-- WXS

> On Mar 9, 2021, at 7:36 AM, Unknown  wrote:
> 
> I wonder is exist a rule for detecting damage, corrupted, unsupported binary 
> file by Windows Loader?
> 
> Sometimes a file can not be executed on Windows. 
> 
> 
> 
> Sometimes a file can not be run on Windows 10:
> 
> 
> 
> How do you think it can be done by Yara rule to detect such of broken, 
> unsupported files?
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/50d502d1-fae2-4e89-bca1-9309a85e103fn%40googlegroups.com
>  
> .
> 

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/4CD98139-8B8A-484E-B1A0-B6FC7217A3F5%40gmail.com.

Re: Learning YARA - hashes not being recognized?

2021-02-22 Thread Wesley Shields

This is a decision made by YARA. The underlying code which is doing the hashing 
is OpenSSL and that outputs using lowercase. Even if we switched it to all be 
uppercase we would have users complaining that they are expecting lowercase. We 
can't please everyone, so we just have to pick one and stick to it.

-- WXS

> On Feb 22, 2021, at 11:53 AM, Jonathan Livolsi  wrote:
> 
> Hi,
> 
> Ok, so because every hashing algorithm returns hashes in all uppercase and 
> yara requires all lower case, the only solution is for the user to manually 
> go through and change all uppercase to lowercase in the hash rather than have 
> either a tolower() functionality added to the yara rules or allow yara to 
> recognize both upper and lower case characters?  I feel like the industry 
> accepted standard for all hashing algorithms is that they are always in 
> uppercase and that should be expected, not the other way around.  I mean my 
> years of being a developer supports that gut feeling.  I am genuinely 
> confused by this decision to only accept lowercase and not upper for hashes.  
> Is this a virustotal issue or just a decision in the programming for yara?
> 
> 
> Jonathan
> 
> On Mon, Feb 22, 2021 at 11:33 AM Wesley Shields  <mailto:w...@atarininja.org>> wrote:
> See the warning at the top of 
> https://yara.readthedocs.io/en/stable/modules/hash.html 
> <https://yara.readthedocs.io/en/stable/modules/hash.html> - all hashes are 
> returned in lowercase.
> 
> -- WXS
> 
>> On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi > <mailto:jlivo...@gmail.com>> wrote:
>> 
>> Hi,
>> 
>> I am going through a lab to learn yara rules and have a simple problem but I 
>> am not seeing why this might be happening.  It is an online course and their 
>> support doesn't help with this kind of stuff.  I am just writing a simple 
>> rule to check the MZ bits and the file hash for MD5, SHA1, and SHA256.  
>> Nothing complicated about it.
>> 
>> In this screenshot I have in my simple yara rule a check for the first bytes 
>> of 5A4D and it works fine.  I commented out the hash checks and in the 
>> console you can see that I get a 1 returned because the rule matched.  
>> 
>> 
>> In this screenshot I uncommented the hash checks and the rule fails to 
>> match.  If I comment out the strings and the check in the conditions but 
>> leave in the hash (even just one at a time) the rule does not ever match.  
>> Yet in the powershell prompt to the right I have the calculated hashed that 
>> I used in the rule.  Am I missing something?
>> 
>> 
>> Thanks for the help.
>> 
>> 
>> Jonathan
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to yara-project+unsubscr...@googlegroups.com 
>> <mailto:yara-project+unsubscr...@googlegroups.com>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com
>>  
>> <https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com?utm_medium=email_source=footer>.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> <mailto:yara-project+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org
>  
> <https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org?utm_medium=email_source=footer>.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> <mailto:yara-project+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/CACYKFWoSshZ9m8%3DX2pT-f4S_sZpDTabdKCwk%2BTRCS3ngWSW34Q%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/yara-project/CACYKFWoSshZ9m8%3DX2pT-f4S_sZpDTabdKCwk%2BTRCS3ngWSW34Q%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/A63BBAF6-39ED-4215-B5C0-3CD069884922%40gmail.com.

Re: Learning YARA - hashes not being recognized?

2021-02-22 Thread Wesley Shields

See the warning at the top of 
https://yara.readthedocs.io/en/stable/modules/hash.html - all hashes are 
returned in lowercase.

-- WXS

> On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi  wrote:
> 
> Hi,
> 
> I am going through a lab to learn yara rules and have a simple problem but I 
> am not seeing why this might be happening.  It is an online course and their 
> support doesn't help with this kind of stuff.  I am just writing a simple 
> rule to check the MZ bits and the file hash for MD5, SHA1, and SHA256.  
> Nothing complicated about it.
> 
> In this screenshot I have in my simple yara rule a check for the first bytes 
> of 5A4D and it works fine.  I commented out the hash checks and in the 
> console you can see that I get a 1 returned because the rule matched.  
> 
> 
> In this screenshot I uncommented the hash checks and the rule fails to match. 
>  If I comment out the strings and the check in the conditions but leave in 
> the hash (even just one at a time) the rule does not ever match.  Yet in the 
> powershell prompt to the right I have the calculated hashed that I used in 
> the rule.  Am I missing something?
> 
> 
> Thanks for the help.
> 
> 
> Jonathan
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org.

Re: Machine Learning

2021-01-11 Thread Wesley Shields

I'm far from an expert but "these samples cluster around this rule or this 
subset of rules" is far from machine learning. There's no learning there at all.

We have used YARA to extract out features from various documents (specifically 
things like RTF where you can easily count the number of different tags, their 
relative position, etc) and then used those features to train a ML model. It 
can be done, and can work well but YARA may not be the best tool in most cases.

Just labeling a cluster based upon a set of rules that match is not machine 
learning. That is just labeling.

-- WXS

> On Jan 11, 2021, at 4:51 AM, raghvendra mishra  
> wrote:
> 
> Hi Arun,
> What about using Yara rule pattern(s) as a feature, think about it. In this 
> way you can have clusters based upon family etc.
> 
> Cheers,
> --Raghvendra Mishra
> Principal Threat Researcher
> SonicWall Inc.
> Cell:- +91-8867404241
> 
> 
> On Thu, Jan 7, 2021 at 11:28 PM arun rawat  > wrote:
> Hi Everyone,
> 
> I am a college student working on a malware detection project.
> 
> Someone told me that "Yara rules can also be used to convert a big data set 
> in the form of clusters in machine learning " and it has a different use at 
> different platforms.
> 
> I am a bit confused, Is it true or not. 
> 
> Your advice can help a student to complete his Project.
> 
> Thank you in advance.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/53e7b170-00e0-4f6d-ab1a-72c3920baa3an%40googlegroups.com
>  
> .
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/CACAQ8EBighB6m%2Bk_EYabwqin5fVJRgHb83L3xicZ5XXAY8eHYg%40mail.gmail.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/BF164FD0-9374-4F7F-B7E6-B2983FB5094E%40gmail.com.

Re: Hopefully a simple question

2020-08-10 Thread Wesley Shields

Well, assuming you put the rules in c:\Temp\yarfile.yar, no. If you didn't put 
that file there or can't explain why it's there, then it is a positive match 
you need to investigate.

-- WXS

> On Aug 10, 2020, at 9:12 PM, Michael Fry  wrote:
> 
> So does that mean it is a positive for something being detected?
> 
> On Tuesday, 11 August 2020 10:41:48 UTC+10, Wesley Shields wrote:
> The format is  .
> 
> In your case, YARA matched two rules on the file c:\Temp\yarfile.yar
> 
> -- WXS
> 
>> On Aug 10, 2020, at 8:33 PM, Michael Fry > wrote:
>> 
>> Hi All,
>> 
>> So I have recently been asked to use Yara to scan some servers for some IOCs 
>> and I am using the command line version.
>> 
>> The yar file was provided to me.
>> 
>> I am struggling to find anything anywhere that outlines interpretting the 
>> log file. For example, if I have the below, is this indicating a type of 
>> scan using a particular yar file? Or is it indicating that it has found 
>> something?
>> 
>> webshell_embedded_jscript_evaluator c:\\Temp\yarfile.yar
>> webshell_jscript_eval c:\\Temp\yarfile.yar
>> 
>> Thanks
>> Michael
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to yara-p...@googlegroups.com <>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/yara-project/fca76a39-121e-476d-a597-9f4d3ea18cado%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/yara-project/fca76a39-121e-476d-a597-9f4d3ea18cado%40googlegroups.com?utm_medium=email_source=footer>.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> <mailto:yara-project+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/348a4407-a2b3-4d18-853d-2f7da33827dco%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/yara-project/348a4407-a2b3-4d18-853d-2f7da33827dco%40googlegroups.com?utm_medium=email_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/D0021161-59A1-4BDD-A7A6-F60105164DAD%40atarininja.org.

Re: Hopefully a simple question

2020-08-10 Thread Wesley Shields

The format is  .

In your case, YARA matched two rules on the file c:\Temp\yarfile.yar

-- WXS

> On Aug 10, 2020, at 8:33 PM, Michael Fry  wrote:
> 
> Hi All,
> 
> So I have recently been asked to use Yara to scan some servers for some IOCs 
> and I am using the command line version.
> 
> The yar file was provided to me.
> 
> I am struggling to find anything anywhere that outlines interpretting the log 
> file. For example, if I have the below, is this indicating a type of scan 
> using a particular yar file? Or is it indicating that it has found something?
> 
> webshell_embedded_jscript_evaluator c:\\Temp\yarfile.yar
> webshell_jscript_eval c:\\Temp\yarfile.yar
> 
> Thanks
> Michael
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/fca76a39-121e-476d-a597-9f4d3ea18cado%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/F9A47C08-C594-4FE0-AF6C-1375A23CB926%40atarininja.org.

Re: Issues - Win2K3 w/ PS Ver:2.0 + YARA 4.0.2

2020-07-31 Thread Wesley Shields

It looks like yara64 won't run because you have a 32bit install of Windows, 
that can't run 64bit binaries.

The problem with yara32 looks like it is permissions, and you don't have access 
to execute it.

Without further information this looks like it has nothing to do with YARA, and 
is a local problem.

-- WXS

> On Jul 30, 2020, at 11:33 PM, Cam Young  wrote:
> 
> Yes - these servers are on their way out (way overdue) , but we need to keep 
> them up for a few more months yet while we move websites to a 2012 stack.
> 
> Attempted to execute the yara binaries on the server this morning and was 
> returned with the following ..
> 
> C:\YARA> yara64.exe --help
> The image file C:\YARA\yara64.exe is valid, but is for a machine type other 
> than the current machine.
> 
> C:\YARA> yara32.exe --help
> Access is denied.
> 
> 
> Not sure if going backwards version wise will assist or not - and how far 
> back should I go ?
> Looking at options for this old stack.
> 
> Thanks in advance.
> 
> Cheers, Cam.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/5b17e84a-311c-4e51-bdfd-2670d89746a4o%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/ADA693A0-349F-48BD-8B71-2A726D2526C0%40atarininja.org.

Re: PE rule matches when run under yara-python but not in yara ??!

2020-07-07 Thread Wesley Shields

I can't replicate this - it does not match on 4.0.2 on my system. There is no 
rule parsing bug here - the same C code is used when compiling rules using yara 
on the command line or via python. I've had a couple of people tell me 
something weird is going on when using pip to install yara-python, especially 
if you have an older install of libyara laying around. It's almost as if it 
isn't picking up the bundled version of yara and is instead falling back to 
whatever you have laying around. You commented out the printing of the version 
in your python snippet, but just to confirm that is printing the correct 
version of yara?

To be clear, I think this is a local problem and your evaluation is possibly 
incorrect. I think the bug is that it DOES match under yara-python when it 
should not. It not matching when running yara from the command line is the 
correct behavior (I think).

-- WXS

> On Jul 7, 2020, at 2:10 PM, Wes Hurd <13hu...@gmail.com> wrote:
> 
> Hi, 
> 
> This is running with the following versions on macOS 10.14.6:
> 
> yara 4.0.2 homebrew
> 
> yara-python 4.0.2 (pip) 
> Python 3.7.7
> 
> I'm having a really weird case where a rule using pe module is unexpectedly 
> matching certain files when run under yara-python , but not matching if 
> running the yara binary directly.
> 
> Running on this PE file: 
> https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details
>  
> 
> "test_odd_pe_py_match.yara":
> rule Odd_PE_Entry_Point
> {
> condition:
> uint16(0) == 0x5a4d and
> ((pe.entry_point >= pe.sections[pe.number_of_sections - 
> 1].raw_data_offset) or (not 
> pe.sections[pe.section_index(pe.entry_point)].name contains ".text"))
> }
> 
> 
> 
> Python :
> import yara
> #print(yara.__version__)
> 
> try:
> scan = yara.compile("./test_odd_pe_py_match.yara")
> except yara.Error as e:
> print("YARA compile error:", e)
> 
> matches = 
> scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe")
> print(matches)
> 
> [Odd_PE_Entry_Point]
> 
> 
> yara bin:
> $ yara test_odd_pe_py_match.yara 
> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe
> 
> $
> No matches
> 
> 
> Can someone tell what's going on here ? 
> It seems to me there is some sort of either rule parsing bug under python, or 
> race condition that causes the python run to match when the binary doesn't.
> 
> Thanks,
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/4BA5B724-FCC0-4854-BCCD-5D06F2D150F2%40atarininja.org.

Re: Matching only fullword standalone base64 strings (ending in '==') ?

2020-07-07 Thread Wesley Shields

I don't think fullword makes sense here, given that the base64 modifiers are 
meant to work when the string you're searching for is embedded anywhere in a 
base64 encoded string. This requires that it strip some leading and trailing 
bytes. If you want to find it without this behavior just put the base64 string 
in as a literal and don't use the modifiers. A quick comment about what it is 
in decoded form will help readability.

-- WXS

> On Jul 7, 2020, at 2:34 PM, Wes Hurd <13hu...@gmail.com> wrote:
> 
> Hi again,
> 
> I'm wondering if there is a way to match Base64 strings only when they are 
> 'fullword', standalone.
> 
> For example:
> rule base64_Example
> {
> strings:
> $s = "setsockopt" base64 base64wide // c2V0c29ja29wdA==
> condition:
> $s
> }
> 
> 
> This rule will match anything containing the string "c2V0c29ja29wdA"
> What if I want it to only match on the standalone base64 string 
> "c2V0c29ja29wdA==" ? 
> Obviously I could match that string literal but I was curious if it would 
> make sense for base64 to do this, for readability and flexibility ? 
> 
> Using fullword with base64 modifiers does not seem to be supported.
> invalid modifier combination "base64 fullword"
> 
> Thank you, 
> 
>  - Wes
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/e160da25-1de2-4f07-bcd3-31ae0c50b779o%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/393AD2E4-B029-4338-8ED6-0AC5E8BFCE15%40atarininja.org.

Re: PE module: 'not' logic conditions will match on non-PE files - should pe functions first check if file is PE ?

2020-07-01 Thread Wesley Shields

This is likely due to the change made recently where comparing with UNDEFINED 
values now evaluates to false. It used to evaluate to UNDEFINED.

> But shouldn't pe module conditions check first if the file is a PE header or 
> valid base PE, then fail if the file isn't ?

Functions in the pe module do check if they are accessing UNDEFINED fields and 
return UNDEFINED accordingly. This is the behavior of things like 
"pe.exports()" and others. In your case you have a couple of things going on...

1) You are using "pe.section_index()" which will return UNDEFINED on a non-PE 
file. This means you are accessing pe.sections[UNDEFINED] which is also 
UNDEFINED.

2) You are then accessing the name attribute of an UNDEFINED value which is 
also resulting in an UNDEFINED value.

3) You end up with 'not UNDEFINED contains ".text"' which as of a somewhat 
recent change evaluates to "not false".

This is all because of a recent change where comparisons (including contains) 
with UNDEFINED values result in false.

It's arguable that this is the right change (and to be honest, I don't remember 
why it was changed) but one thing you can do is prefix your condition with 
"pe.is_pe and ..."

-- WXS

> On Jul 1, 2020, at 2:34 PM, Wes Hurd <13hu...@gmail.com> wrote:
> 
> Hi,
> 
> Wanted to post here before raising an issue on github project:
> 
> To reproduce:
> import "pe"
> 
> rule pe_on_nonpe
> {
> condition:
>   not pe.sections[pe.section_index(pe.entry_point)].name contains ".text"
> }
> 
> 
> 
> Run on non-PE file (e.g. Excel document zip)
> yara pe_on_nonpe.yara excel_doc.xlsx
> The rule matches on non-PE files
> 
> But shouldn't pe module conditions check first if the file is a PE header or 
> valid base PE, then fail if the file isn't ? 
> So pe.sections implies the file is PE, does check for valid PE first 
> 
> Regards,
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/558ba95d-4f7c-4bd7-a8bb-71fab8c97db0o%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/8BDBC9BC-BC20-43F3-86E7-2915154EB077%40atarininja.org.

Re: Match On Export Directory Name

2019-06-28 Thread Wesley Shields

OK, that makes a bit more sense. I see what you want to do now, and there is no 
easy way to do it that I'm aware of, but there is a rather cumbersome way to do 
it.

import "pe"

rule a {
  strings:
$pilot = "pilot.dll"
  condition:
$pilot at 
pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address)
 + 12))
}

This will check if pilot.dll is in the appropriate spot.

We currently don't expose that field in the pe module. I am working on some 
improvements to export and import parsing and can probably include this in 
there too, but no promises if it will be accepted. :)

-- WXS

> On Jun 27, 2019, at 10:20 AM, Schrodinger  wrote:
> 
> Sorry for the confusion, I think I worded things incorrectly in my original 
> post. The Export Table name, not an exported function.
> 
> https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#export-directory-table
> 
> In the Export Table there is the name of the module itself. "The address of 
> the ASCII string that contains the name of the DLL. This address is relative 
> to the image base." I'd like to use Yara to find samples with the same Export 
> name, not the name of an exported function.
> 
> Cheers,
> Schrodinger.
> 
> On Thursday, June 27, 2019 at 12:40:03 AM UTC+1, Wesley Shields wrote:
> Not sure where you got "pilot.dll" from but the file you referenced has one 
> export by name and that is MSOProtect. 
> 
> -- WXS 
> 
> > On Jun 26, 2019, at 7:04 PM, Schrodinger  wrote: 
> > 
> > Doesn't seem to work for me. Just trying a simple rule. 
> > 
> > import "pe" 
> > 
> > rule export_name 
> > { 
> > condition: 
> > uint16(0) == 0x5A4D 
> > and 
> > pe.exports("pilot.dll") 
> > } 
> > 
> > Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the 
> > sample if you need. 
> > 
> > Cheers. 
> > 
> > On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote: 
> > For now you can do: pe.exports("pilot.dll"). 
> > 
> > -- WXS 
> > 
> > > On Jun 25, 2019, at 6:21 PM, Schrodinger  wrote: 
> > > 
> > > Hi everyone, 
> > > 
> > > I was wondering if there is a way to perform matching on the name in the 
> > > DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python 
> > > pefile module: 
> > > 
> > > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name 
> > > Out[32]: 'pilot.dll' 
> > > 
> > > Cheers, 
> > > Schrodinger. 
> > > 
> > > -- 
> > > You received this message because you are subscribed to the Google Groups 
> > > "YARA" group. 
> > > To unsubscribe from this group and stop receiving emails from it, send an 
> > > email to yara-p...@googlegroups.com. 
> > > To view this discussion on the web visit 
> > > https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
> > >  
> > > For more options, visit https://groups.google.com/d/optout. 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-p...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/7cb565f6-b437-4f3e-9224-f928c7538b71%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CE737C4A-C8BD-4EFC-9679-40F1639B447A%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Match On Export Directory Name

2019-06-26 Thread Wesley Shields

Not sure where you got "pilot.dll" from but the file you referenced has one 
export by name and that is MSOProtect.

-- WXS

> On Jun 26, 2019, at 7:04 PM, Schrodinger  wrote:
> 
> Doesn't seem to work for me. Just trying a simple rule.
> 
> import "pe"
> 
> rule export_name
> {
> condition:
> uint16(0) == 0x5A4D
> and
> pe.exports("pilot.dll")
> }
> 
> Sample I tested with d5c679df69751936d0fa380f2e4bf017 can provide the sample 
> if you need.
> 
> Cheers.
> 
> On Wednesday, June 26, 2019 at 2:00:47 AM UTC+1, Wesley Shields wrote:
> For now you can do: pe.exports("pilot.dll"). 
> 
> -- WXS 
> 
> > On Jun 25, 2019, at 6:21 PM, Schrodinger  wrote: 
> > 
> > Hi everyone, 
> > 
> > I was wondering if there is a way to perform matching on the name in the 
> > DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python 
> > pefile module: 
> > 
> > In [32]: pe.DIRECTORY_ENTRY_EXPORT.name 
> > Out[32]: 'pilot.dll' 
> > 
> > Cheers, 
> > Schrodinger. 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-p...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/0ddcbcce-328e-4535-8e3f-f90b61616cd0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/D396795E-598D-4087-9117-33CB2B670390%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Match On Export Directory Name

2019-06-25 Thread Wesley Shields

For now you can do: pe.exports("pilot.dll").

-- WXS

> On Jun 25, 2019, at 6:21 PM, Schrodinger  wrote:
> 
> Hi everyone,
> 
> I was wondering if there is a way to perform matching on the name in the 
> DIRECTORY_ENTRY_EXPORT in a Portable Executable. Example from the Python 
> pefile module:
> 
> In [32]: pe.DIRECTORY_ENTRY_EXPORT.name
> Out[32]: 'pilot.dll'
> 
> Cheers,
> Schrodinger.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/2f7a4837-7ce7-430f-a826-0bde055170af%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/D1A20454-76EF-4928-9CD7-9B8DC8A220FB%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara configure statically with modules

2019-05-03 Thread Wesley Shields

What about:

./configure --enable-static --enable-cuckoo --enable-magic --enable-dotnet

-- WXS

> On May 3, 2019, at 5:22 AM, Shakarim Utepbergenov 
>  wrote:
> 
> Hello guys, I need to build a executable binary file on Ubuntu 18.04
> i've tried configure with static libs
> ./configure --enable-cuckoo --enable-magic --enable-dotnet LDFLAGS="-static" 
> and has some errors;
> Does anyone have experience in build statics?
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: YARA rule to search for a file with a certain name

2018-11-12 Thread Wesley Shields

Filename is not something YARA knows about, nor should it IMO. The filename is 
a property of the filesystem upon which the file resides, and has no bearing on 
the content of the file. If you want to use filename in your rule you have to 
pass it in as an external variable. Check out 
https://github.com/VirusTotal/yara/issues/202 for more details.

-- WXS

> On Nov 12, 2018, at 7:21 AM, Michael Herren  wrote:
> 
> Hello
> 
> Please be gentle with me. I am new to YARA and the writting of such rules. I 
> am planning to write a set of YARA rules each describing an IOC. A very 
> simple IOC is the existence of a certain file. I was search the net for a 
> rule which check if a file with a certain name does exist. But all examples I 
> found do not work on my computer. This could be based on my lack of knowledge 
> or the fact that such a function is not existing.
> 
> Can anyone please help?
> 
> Kind Regards
> Michael
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: './configure --dotnet' doesn't work - 'import dotnet' returns error

2018-11-07 Thread Wesley Shields

It should be —enable-dotnet

— WXS

On Wed, Nov 7, 2018 at 2:09 PM  wrote:

>
> Newbie question - The instructions to get .net rules appear to be
> straight-forward, but it doesn't appear to be working.
>
>
> I've followed the install and configure instructions:
>
> ./bootstrap.sh
> ./configure --dotnet
> make
> make install
>
> ar -t /usr/local/lib/libyara.a shows dotnet.o in libyara.a
>
> However, when I'm trying to compile a rule in a file that just has "import
> dotnet" at the top. I get compiler error no 34, which I believe is "
> ERROR_UNKNOWN_MODULE".
>
>   compiler->last error is 34
>   compiler->last_error_extra_info is do
>   compiler->last_error_line is 1  [the line that says "import dotnet"]
>
> Code is
>
> 
> int  main(int argc, char **argv) {
>
>   int result = 0;
>
>   /* Initialize libyara */
>   result = yr_initialize(); /* returns int */
>   printf("initialize result: %d\n",result);
>
>   /* Create new compiler instance. */
>   result = yr_compiler_create(_ctx);
>   printf("compiler instance: %d\n",result);
>
>   /* Load rule file, and compile it. */
>   FILE *rule = fopen(YARA_CHAT_RULE, "r");
>   result = yr_compiler_add_file(comp_ctx, rule, NULL, YARA_CHAT_RULE);
>   printf("compile error on entry : error no.: %d\n",comp_ctx->last_error);
>   printf("compile error on entry : error info:
> %s\n",comp_ctx->last_error_extra_info);
>   printf("compile error on entry : error line:
> %d\n",comp_ctx->last_error_line);
>   printf("no. compile errors: %d\n", result);
>
>  
>
> Creating the compiler returns 0
>
> Any reason why I can't get the dotnet module to be recognized?
> I'm on Centos Linux version 3.10.0-862.14.4.el7.x86_64 (gcc version 4.8.5
> 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Wed Sep 26 15:12:11 UTC 2018
> Yara version is 3.8.1
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

2018-03-18 Thread Wesley Shields

The inner quotes are not escaped.

— WXS

On Sun, Mar 18, 2018 at 8:24 PM  wrote:

> Hi
>
> I ran this rule while learning:
> echo "rule a { strings: $h = "arnav" condition: $h } > a
>
> but when I run
> yara a a
>
> it gives me this error:
> error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_
>
> I can't figure out what's wrong.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Using module_callback more than once

2018-03-13 Thread Wesley Shields

This should show you what is going on:

>>> f = open('/bin/ls')
>>> data = f.read()
>>> f.close()
>>> import yara
>>> rules = yara.compile(source='import "pe" rule a { condition: false }')
>>> def foo(data):
... global resources
... resources = data.get('number_of_resources')
...
>>> resources = 0
>>> rules.match(data=data, modules_callback=foo)
[]
>>> print resources
None
>>> f = open('/Users/wxs/malware/test.exe')
>>> data = f.read()
>>> f.close()
>>> rules.match(data=data, modules_callback=foo)
[]
>>> print resources
23
>>>

When I feed it a file that is not a PE file the number_of_resources key in the 
data dictionary doesn't exist so attempting to call .get() on it returns None.

-- WXS

> On Mar 13, 2018, at 4:00 PM, Matan Bachar  wrote:
> 
>  Hello everyone
> I am doing a yara-python project and Im using this technique to getting 
> information about PE files:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> My problem is when im using more than one time with this technique and its 
> not working. Its just return 'None' instead of the value it should return
> Every time Im use this technique only one time its working no matter what...
>  
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Getting information about PE using yara-python

2018-03-12 Thread Wesley Shields

Sure, I've been using it to unpack and handle config blocks from .NET binaries 
using this technique:

https://gist.github.com/wxsBSD/1e518cef545fee7bb991a9dc6c14a0f7

Substitute the dotnet module for the pe module and you will get access to all 
the information exposed via the PE module (you won't get things that require 
function calls like imports and exports though).

-- WXS

> On Mar 12, 2018, at 12:49 PM, Matan Bachar  wrote:
> 
> Is there a way to get information about PE file using yara-python command 
> directly or indirectly? (section number,timestamp etc)
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara-python and Warning for RegEx Resonable Value for N

2018-02-23 Thread Wesley Shields

You will need to provide an example. Please include the rule and exact commands 
and outputs you're getting when running things. Also, please include versions 
of things you're using.

-- WXS

> On Feb 23, 2018, at 9:47 AM, Binaries 4 Breakfast 
>  wrote:
> 
> Sorry, this was Yarac, but perhaps also with Yara-python.
> 
> On Friday, February 23, 2018 at 8:45:31 AM UTC-6, Binaries 4 Breakfast wrote:
> Folks, I recently found that a yara-python rule compilation will hang when 
> returning the Warning regarding a regex for a reasonable value of N, but not 
> in stand-alone Yara. Is this a bug?
> 
> -JD
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara-python and Warning for RegEx Resonable Value for N

2018-02-23 Thread Wesley Shields

Can you share the rule and the version of YARA you're using? If true it is a 
bug but I suspect it isn't true. I think you may have a local problem.

-- WXS

> On Feb 23, 2018, at 9:45 AM, Binaries 4 Breakfast 
>  wrote:
> 
> Folks, I recently found that a yara-python rule compilation will hang when 
> returning the Warning regarding a regex for a reasonable value of N, but not 
> in stand-alone Yara. Is this a bug?
> 
> -JD
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: problem compiling yara rules downloaded from yara-rules repository also doing this in Python2.7 using yara-python

2018-02-05 Thread Wesley Shields

The first one is because you don't have the androguard module compiled. The 
second one is because you don't have the cuckoo module compiled. The androguard 
requirement, which isn't part of YARA (yet?), is documented in their README. 
The cuckoo module can be enabled with ./configure --enable-cuckoo and 
rebuilding YARA.

-- WXS

> On Feb 4, 2018, at 3:57 PM, Yash Patel  wrote:
> 
> these are the errors I'm getting
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Also, How are you doing? THANK YOU! :-) 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Are raw files necessary for Yara? Can the outputs of "strings" be fed to the yara processor?

2017-11-15 Thread Wesley Shields

You could do that. You would lose any capabilities based upon most of the 
modules (PE, elf, etc). The math module would still work but I'm not sure how 
relevant it would be. More importantly I'm not sure what doing this would get 
you that running YARA on the original files wouldn't also get you, with none of 
the loss of capabilities.

-- WXS

> On Nov 14, 2017, at 7:09 PM, plagu...@gmail.com wrote:
> 
> I understand that some tweaking might be necessary to the yara processor, but 
> I am wondering if something like this would be possbile.
> 
> If in the past I had stored the "strings" output of a particular file, could 
> I pump that into a modified yara processor and have everything work? Are 
> there some things that wouldn't work?
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara not using global rules

2017-08-17 Thread Wesley Shields

Ok, so it isn’t a question of incorrect matching like you originally said.
It is really a question of searching a file even if it doesn’t pass the
global rules. This is a misunderstanding I sometimes see. All strings are
collected and searched for in a single pass, then global rules are
evaluated.

— WXS

On Thu, Aug 17, 2017 at 6:49 AM necrophcodr <tcg.thega...@gmail.com> wrote:

> Alright, I've solved the issue:
>
> Albeit this is synthetic, running
>
> ```
> for f in $(seq 0 100); do printf "\n\n\n\n\n\n\n\n\n\n" >> text.txt;
> done
> ```
>
> And then
>
> ```
> yara inc.yar .
> ```
>
> In the directory with the yara files, yields, on my test system:
>
> ./misc.yar(9): warning: $newline is slowing down scanning (critical!)
> fsL ./inc.yar
> fsL ./global.yar
> fsL ./misc.yar
> error scanning ./text.txt: internal error: 30
>
>
> And while using the newline scan is not a great idea, clearly the file is
> still being scanned in one way or another, in spite of the global rule.
>
>
> Den torsdag den 17. august 2017 kl. 12.24.11 UTC+2 skrev necrophcodr:
>>
>> I'm afraid I cannot post the exact files. I'll create a working
>> environment that replicates all the variables required, and I'll post it
>> here when I've gotten this done.
>>
>> Den onsdag den 16. august 2017 kl. 16.31.35 UTC+2 skrev Wesley Shields:
>>>
>>> I still can not replicate your problem.
>>>
>>> A couple of things to note however:
>>>
>>> "internal error: 30" is because there are too many matches, which
>>> happens when a single string matches too many times. It has nothing to do
>>> with file size like you guessed.
>>>
>>> Your "newline_one" rule is marked as private so it should never be
>>> reported.
>>>
>>> At this point I can not replicate your problem so I'm curious if you
>>> could zip up the files you're using to do this and post them somewhere for
>>> me to see them exactly? I would need your exact YARA rules and the file you
>>> are scanning.
>>>
>>> -- WXS
>>>
>>> > On Aug 16, 2017, at 5:51 AM, necrophcodr <tcg.th...@gmail.com> wrote:
>>> >
>>> > Alright, so I've returned with a result:
>>> >
>>> > If I have `~/inc.yar` with the following content:
>>> >
>>> > ```
>>> > include "./global.yar"
>>> > include "./misc.yar"
>>> > ```
>>> >
>>> > And the content of these files respectively:
>>> >
>>> > ```
>>> > global rule fsL { condition: filesize < 8MB }
>>> > ```
>>> >
>>> > And
>>> >
>>> > ```
>>> > private rule newline_one {
>>> > meta:
>>> > description = "Files that contain one newline"
>>> > author = "Steffen Rytter Postas"
>>> >
>>> > strings:
>>> > $newline = "\n"
>>> >
>>> > condition:
>>> > ( #newline == 1 )
>>> > }
>>> > ```
>>> >
>>> > Then the issue prevails.
>>> >
>>> > Note that this requires an actually large file that contains newlines.
>>> Doing `dd if=/dev/zero bs=4M count=250 of=file.bin` and scanning that won't
>>> yield usable results.
>>> >
>>> > Den onsdag den 16. august 2017 kl. 11.43.17 UTC+2 skrev necrophcodr:
>>> > Hi Wesley,
>>> >
>>> > Sorry for the late reply, vacations and all.
>>> >
>>> > So first and foremost:
>>> >
>>> > `yara -v`
>>> > yara 3.5.0
>>> >
>>> > The files getting scanned are reporting ` internal error: 30` which
>>> I'm reading to be due to files being too large. These files are often
>>> larger than 500MB too, well above the 8MB margin.
>>> >
>>> > I've attempted to replicate it using my own instructions, coupled with
>>> your misc.yar, and the result is that it works just fine.
>>> >
>>> > So I'm guessing the issue is with my own setup, and I'll continue
>>> evaluating the specifics and return with a response when I've found the
>>> culprit.
>>> >
>>> > Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
>>> > I can't replicate this behavior using 3.5.0 or latest master.
>>

Re: Yara not using global rules

2017-08-16 Thread Wesley Shields

I still can not replicate your problem.

A couple of things to note however:

"internal error: 30" is because there are too many matches, which happens when 
a single string matches too many times. It has nothing to do with file size 
like you guessed.

Your "newline_one" rule is marked as private so it should never be reported.

At this point I can not replicate your problem so I'm curious if you could zip 
up the files you're using to do this and post them somewhere for me to see them 
exactly? I would need your exact YARA rules and the file you are scanning.

-- WXS

> On Aug 16, 2017, at 5:51 AM, necrophcodr <tcg.thega...@gmail.com> wrote:
> 
> Alright, so I've returned with a result:
> 
> If I have `~/inc.yar` with the following content:
> 
> ```
> include "./global.yar"
> include "./misc.yar"
> ```
> 
> And the content of these files respectively:
> 
> ```
> global rule fsL { condition: filesize < 8MB }
> ```
> 
> And
> 
> ```
> private rule newline_one {
> meta:
> description = "Files that contain one newline"
> author = "Steffen Rytter Postas"
> 
> strings:
> $newline = "\n"
> 
> condition:
> ( #newline == 1 )
> }
> ```
> 
> Then the issue prevails.
> 
> Note that this requires an actually large file that contains newlines. Doing 
> `dd if=/dev/zero bs=4M count=250 of=file.bin` and scanning that won't yield 
> usable results.
> 
> Den onsdag den 16. august 2017 kl. 11.43.17 UTC+2 skrev necrophcodr:
> Hi Wesley,
> 
> Sorry for the late reply, vacations and all.
> 
> So first and foremost: 
> 
> `yara -v`
> yara 3.5.0
> 
> The files getting scanned are reporting ` internal error: 30` which I'm 
> reading to be due to files being too large. These files are often larger than 
> 500MB too, well above the 8MB margin.
> 
> I've attempted to replicate it using my own instructions, coupled with your 
> misc.yar, and the result is that it works just fine.
> 
> So I'm guessing the issue is with my own setup, and I'll continue evaluating 
> the specifics and return with a response when I've found the culprit.
> 
> Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
> I can't replicate this behavior using 3.5.0 or latest master. 
> 
> wxs@wxs-mbp yara % cat foo 
> include "./global.yar" 
> include "./misc.yar" 
> wxs@wxs-mbp yara % cat global.yar 
> global rule fileSizeLimit { condition: filesize < 1KB } 
> wxs@wxs-mbp yara % cat misc.yar 
> rule foo { condition: true } 
> wxs@wxs-mbp yara % ls -l /bin/ls 
> -rwxr-xr-x  1 root  wheel  38624 Jul 15 00:29 /bin/ls* 
> wxs@wxs-mbp yara % ./yara foo /bin/ls 
> wxs@wxs-mbp yara % 
> 
> When you say regardless of file size are you sure you're above the 8MB? Keep 
> in mind that 8MB is 8 * 1048576, which is 8388608. 
> 
> -- WXS 
> 
> > On Jul 28, 2017, at 7:01 AM, necrophcodr <tcg.th...@gmail.com> wrote: 
> > 
> > So I've got quite a few rules, but it all comes down to this: 
> > 
> > include "./rules/global.yar" 
> > include "./rules/misc.yar" 
> > 
> > 
> > The global.yar file contains 
> > 
> > global rule fileSizeLimit { condition: filesize < 8MB } 
> > 
> > 
> > Any rule defined in rules/misc.yar are matched regardless of file size, but 
> > this is not what I intend. What am I doing wrong here? 
> > 
> > If this is not the right place to post, that's alright, feel free to slap 
> > me on the wrist and direct me to the correct location. 
> > 
> > edit: 
> > 
> > I should mention this is using Yara 3.5.0. I don't have a chance to upgrade 
> > this within the week. 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-project...@googlegroups.com. 
> > For more options, visit https://groups.google.com/d/optout. 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara not using global rules

2017-08-07 Thread Wesley Shields

I can't replicate this behavior using 3.5.0 or latest master.

wxs@wxs-mbp yara % cat foo
include "./global.yar"
include "./misc.yar"
wxs@wxs-mbp yara % cat global.yar
global rule fileSizeLimit { condition: filesize < 1KB }
wxs@wxs-mbp yara % cat misc.yar
rule foo { condition: true }
wxs@wxs-mbp yara % ls -l /bin/ls
-rwxr-xr-x  1 root  wheel  38624 Jul 15 00:29 /bin/ls*
wxs@wxs-mbp yara % ./yara foo /bin/ls
wxs@wxs-mbp yara %

When you say regardless of file size are you sure you're above the 8MB? Keep in 
mind that 8MB is 8 * 1048576, which is 8388608.

-- WXS

> On Jul 28, 2017, at 7:01 AM, necrophcodr  wrote:
> 
> So I've got quite a few rules, but it all comes down to this:
> 
> include "./rules/global.yar"
> include "./rules/misc.yar" 
> 
> 
> The global.yar file contains
> 
> global rule fileSizeLimit { condition: filesize < 8MB }
> 
> 
> Any rule defined in rules/misc.yar are matched regardless of file size, but 
> this is not what I intend. What am I doing wrong here?
> 
> If this is not the right place to post, that's alright, feel free to slap me 
> on the wrist and direct me to the correct location.
> 
> edit:
> 
> I should mention this is using Yara 3.5.0. I don't have a chance to upgrade 
> this within the week.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: yara python callback function , slow performance

2017-05-17 Thread Wesley Shields

Based upon my understanding I don't think this is expected behavior. Can you 
share a minimal proof of concept which shows this happening?

-- WXS

> On May 17, 2017, at 8:18 AM, tofbaas...@gmail.com wrote:
> 
> Hello again , 
> 
> I'm using yara python to match rules against a lot of files . The problem is 
> when the number of files gets big the performance is really horrible . 
> 
> When doing some profiling I noticed that when running 12319 files against 
> about a 1000 to 1500 rules the yara callback function gets called 151991822 
> times ?
> Does the callback function get called for each matching string of a rule ? 
> In my test I only had 28 matches so it's not that I'm doing any heavy lifting 
> if there's a match
> Is there anything I can do about this , or is this behaviour to be expected 
> with this number of files ? I haven't compared against native yara yet ...
> 
> Thank you
> 
> 
>  
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: determining which strings causes a rule to fail

2016-11-21 Thread Wesley Shields

What about this:

wxs@wxs-mbp yara % cat foo
foo
wxs@wxs-mbp yara % cat bar
rule test {
  strings:
$a = "foo"
$b = "bar"
  condition:
all of them
}
wxs@wxs-mbp yara % ./yara -ns bar foo
test foo
0x0:$a: foo
wxs@wxs-mbp yara %

This prints all rules that DO NOT match and the strings in them that DO match 
(and by process of elimination the strings that DO NOT match are the ones left 
over). Keep in mind though that strings are not the only things that can cause 
a condition to evaluate to false.

-- WXS

> On Nov 17, 2016, at 10:03 AM, John Davison  wrote:
> 
> Hey there,
> 
> We often run other peoples rules, and at times when we scan larger files we 
> get "internal error: 30" which indicates that yara matched too many strings 
> and basically ran out of room.
> 
> The question that naturally follows is "which string in which rule caused the 
> problem?"  That's hard to figure out because the files we load often have 
> dozens of rules with lots of strings.
> 
> It would be helpful if there was an option that listed the top N strings in 
> order of how many times they matched (and what rule they're in), in 
> descending order.
> 
> Does this functionality exist in other ways?  If not, then could someone 
> point me in what areas of the source code I need to look at to accomplish 
> this?  Would anyone else find this useful?
> 
> -- 
> John W. Davison
> unixfreak0...@gmail.com
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara needs overlay offset

2016-08-15 Thread Wesley Shields

I haven't looked at the code, but there is precedent to use pe.overlay.offset 
and pe.overlay.size.

-- WXS

> On Aug 15, 2016, at 12:02 AM, Fernando Mercês  wrote:
> 
> Sorry to reply to an old thread but I had the same need and decided to create 
> a patch (discussion at https://github.com/VirusTotal/yara/issues/432), that 
> is on my Yara fork at https://github.com/merces/yara/
> 
> This commit adds pe.overlay location: 
> https://github.com/merces/yara/commit/39447516d82454f46988fac7313aebe8ce356f88
> This one adds the pe.overlay_size integer: 
> https://github.com/merces/yara/commit/089e8915c1cde8274ab729789a1edc9cc2235b0c
> 
> So rules like these would work:
> 
> rule overlay_bytes {
>   strings:
>   $bytes = { 41 42 43 44 45 }
>   condition:
>   $bytes at pe.overlay
> }
> 
> rule has_overlay {
>   condition:
>   pe.overlay
> }
> 
> rule big_overlay {
>   condition:
>   pe.overlay_size > 10
> }
> 
> 
> @Victor, do you believe the patch is good enough for a pull request?
> 
> Att,
> 
> @MercesFernando
> mentebinaria.com.br
> ---
> 
> On Wed, Dec 2, 2015 at 7:46 AM, Víctor Manuel Álvarez García 
>  wrote:
> Sure, i think this makes a lot of sense. Thank you for the suggestion.
> 
> On Tue, Dec 1, 2015 at 10:05 PM, Glenn J  wrote:
> rule SkDUndetectabler : SkDrat {
> meta:
> author = "me"
> condition:
> (
> borland_delphi or //check All FSG or
> ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 ))
> )
> and
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  < filesize) and
> //is overlay at offset 2A00,1A00,C00,745,739
> //pe.overlay & pe.overlay_size would have been prettier
> ( 
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  == 0x0739)  or
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  == 0x0745)  or
> //Uncompressed
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  == 0x0C00)  or
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  == 0x2A00)  or
> 
> (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size
>  == 0x1A00)
> )
> and
> //is xored MZ ?
> ( 
> 
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
>  == 0x6275 or
> 
> uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)
>  == 0x4057
> )
> }
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How about importing yara into kernel space ?

2016-03-19 Thread Wesley Shields

If you are infected with a rootkit moving YARA into the kernel is not an answer 
since the rootkit has full access to muck around with YARA even if it is in the 
kernel.

My recommendation is don't run YARA on a system which is potentially 
compromised with a rootkit like you describe. If the kernel of the system is 
compromised you can no longer trust it.

Sure, it's possible to put YARA in the kernel but it isn't going to get you 
anything if your concern is rootkits.

-- WXS

> On Mar 18, 2016, at 1:19 AM, 慎增刘  wrote:
> 
> Yara is so powerful in malware matching. Sometimes people want to check files 
>  , which attached to file-systems hooks. So how about importing yara ( or 
> just libyara ) into linux kernel?  Is it possible? Is there some advices?  
> Thanks for each response.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How about importing yara into kernel space ?

2016-03-18 Thread Wesley Shields

Not entirely true. The YARA VM does not run native instructions directly, so if 
you did manage to jump somewhere other than YARA instructions the VM would 
likely crash badly. If this can lead to arbitrary code execution, I have no 
idea.

Jumps are not bad. BPF, which runs in the kernel, allows forward jumps. 
Backward jumps are not allowed because it could cause an infinite loop. As long 
as you ensure that your jumps are within the bounds of the YARA bytecode then 
they are perfectly fine.

-- WXS

> On Mar 18, 2016, at 11:33 AM, Shiv M <shivakumar.melmanga...@gmail.com> wrote:
> 
> Yara rules with jump constructs would make it easy to get code execution in 
> the kernel.
> 
> On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields <wshie...@gmail.com> wrote:
> If you are infected with a rootkit moving YARA into the kernel is not an 
> answer since the rootkit has full access to muck around with YARA even if it 
> is in the kernel.
> 
> My recommendation is don't run YARA on a system which is potentially 
> compromised with a rootkit like you describe. If the kernel of the system is 
> compromised you can no longer trust it.
> 
> Sure, it's possible to put YARA in the kernel but it isn't going to get you 
> anything if your concern is rootkits.
> 
> -- WXS
> 
> > On Mar 18, 2016, at 1:19 AM, 慎增刘 <shenzeng@gmail.com> wrote:
> >
> > Yara is so powerful in malware matching. Sometimes people want to check 
> > files  , which attached to file-systems hooks. So how about importing yara 
> > ( or just libyara ) into linux kernel?  Is it possible? Is there some 
> > advices?  Thanks for each response.
> >
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-project+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Yara - Bus error: 10

2016-03-18 Thread Wesley Shields

What happens if you move the crashing folders off CIF and onto local disk? If 
it still crashes can you narrow it down to a single file and rule (or set of 
rules) that crash? If you can do that then I can try to replicate and debug 
from there.

-- WXS

> On Mar 1, 2016, at 6:19 PM, Patrick Olsen  wrote:
> 
> I have a Mac with a mounted CIF share and I am attempting to recursively scan 
> the share with yara and I am getting a, "Bus error: 10" error.  A bit of 
> searching points to a string handling error.  Has anyone ran into this issue 
> before?  I have never run into this error before in the past.  It works on 
> some folders, but dies on others.
> 
> $yara -v
> yara 3.4.0
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [yara-python] How to get the rule name of every compiled rule?

2016-03-04 Thread Wesley Shields

I don't recall exactly when it was added but probably is in newer versions
than what you have.

-- WXS

On Friday, March 4, 2016, Robert Giczewski <robert.giczew...@gmail.com>
wrote:

> yara 3.2.0
> yara-python 2.0
>
> Am Freitag, 4. März 2016 14:35:21 UTC+1 schrieb Wesley Shields:
>>
>> What version of YARA are you using? That should work but I'm unable to
>> confirm right now.
>>
>> -- WXS
>>
>> On Friday, March 4, 2016, Robert Giczewski <robert.g...@gmail.com> wrote:
>>
>>> That would be too easy ;-)
>>>
>>> TypeError: 'yara.Rules' object is not iterable
>>>
>>>
>>> Am Freitag, 4. März 2016 13:59:11 UTC+1 schrieb Wesley Shields:
>>>>
>>>> I believe there is support for this that was added a while back.
>>>> Totally untested but I believe it goes like this:
>>>>
>>>> for rule in rules:
>>>> print rule.identifier
>>>>
>>>> -- WXS
>>>>
>>>> On Friday, March 4, 2016, Robert Giczewski <robert.g...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> I'm currently loading quite a lot of files containing even more yara
>>>>> rules.
>>>>> After loading the files, I'm compiling the rules so I can check files
>>>>> against the rules. (see the code below)
>>>>>
>>>>> print "[*] Loading rules (%s) ... " % (rules_dir)
>>>>>
>>>>> sigs = dict([(name.replace(".yara", "").split("/")[-1], name) for name
>>>>> in glob.glob(rules_dir + "/*.yara")])
>>>>> rules = yara.compile(filepaths=sigs)
>>>>>
>>>>>
>>>>> Before checking any file, I want to see the names of every rule I
>>>>> successfully compiled.
>>>>> I'd love to have something like:
>>>>>
>>>>>
>>>>> for rule in rules.getNames():
>>>>> print rule
>>>>>
>>>>> # badAss-1-rule
>>>>> # badAss-2-rule
>>>>> # ...
>>>>> # badAss-n-rule
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Rob
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "YARA" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to yara-project+unsubscr...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "YARA" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to yara-project+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com
> <javascript:_e(%7B%7D,'cvml','yara-project%2bunsubscr...@googlegroups.com');>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [yara-python] How to get the rule name of every compiled rule?

2016-03-04 Thread Wesley Shields

What version of YARA are you using? That should work but I'm unable to
confirm right now.

-- WXS

On Friday, March 4, 2016, Robert Giczewski <robert.giczew...@gmail.com>
wrote:

> That would be too easy ;-)
>
> TypeError: 'yara.Rules' object is not iterable
>
>
> Am Freitag, 4. März 2016 13:59:11 UTC+1 schrieb Wesley Shields:
>>
>> I believe there is support for this that was added a while back. Totally
>> untested but I believe it goes like this:
>>
>> for rule in rules:
>> print rule.identifier
>>
>> -- WXS
>>
>> On Friday, March 4, 2016, Robert Giczewski <robert.g...@gmail.com> wrote:
>>
>>> Hi,
>>> I'm currently loading quite a lot of files containing even more yara
>>> rules.
>>> After loading the files, I'm compiling the rules so I can check files
>>> against the rules. (see the code below)
>>>
>>> print "[*] Loading rules (%s) ... " % (rules_dir)
>>>
>>> sigs = dict([(name.replace(".yara", "").split("/")[-1], name) for name
>>> in glob.glob(rules_dir + "/*.yara")])
>>> rules = yara.compile(filepaths=sigs)
>>>
>>>
>>> Before checking any file, I want to see the names of every rule I
>>> successfully compiled.
>>> I'd love to have something like:
>>>
>>>
>>> for rule in rules.getNames():
>>> print rule
>>>
>>> # badAss-1-rule
>>> # badAss-2-rule
>>> # ...
>>> # badAss-n-rule
>>>
>>> Any ideas?
>>>
>>> Thanks,
>>>
>>> Rob
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "YARA" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to yara-project+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com
> <javascript:_e(%7B%7D,'cvml','yara-project%2bunsubscr...@googlegroups.com');>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: No yara-python after make installing

2016-02-11 Thread Wesley Shields

I think the documentation applies to the most recent release, and it looks like 
you may be using the latest master. If that is the case, the yara-python code 
now lives in a separate repository.

-- WXS

> On Feb 11, 2016, at 10:26 AM, Geoffrey Van Den Berge 
>  wrote:
> 
> Hello,
> 
> It says in the documentation that after the install of yara, you can cd into 
> yara-python and then run the python build and install.
> However, I don't have a yara-python folder. Do I have explicitly install the 
> python extension or am I missing something?
> In this dockerfile the user did the same thing as I am trying to do.
> 
> Thanks in advance
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: how to output yara rule file information in C language

Re: Yara rule: how to detect unsupported PE file for Windows 10?

Re: Learning YARA - hashes not being recognized?

Re: Learning YARA - hashes not being recognized?

Re: Machine Learning

Re: Hopefully a simple question

Re: Hopefully a simple question

Re: Issues - Win2K3 w/ PS Ver:2.0 + YARA 4.0.2

Re: PE rule matches when run under yara-python but not in yara ??!

Re: Matching only fullword standalone base64 strings (ending in '==') ?

Re: PE module: 'not' logic conditions will match on non-PE files - should pe functions first check if file is PE ?

Re: Match On Export Directory Name

Re: Match On Export Directory Name

Re: Match On Export Directory Name

Re: Yara configure statically with modules

Re: YARA rule to search for a file with a certain name

Re: './configure --dotnet' doesn't work - 'import dotnet' returns error

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

Re: Using module_callback more than once

Re: Getting information about PE using yara-python

Re: Yara-python and Warning for RegEx Resonable Value for N

Re: Yara-python and Warning for RegEx Resonable Value for N

Re: problem compiling yara rules downloaded from yara-rules repository also doing this in Python2.7 using yara-python

Re: Are raw files necessary for Yara? Can the outputs of "strings" be fed to the yara processor?

Re: Yara not using global rules

Re: Yara not using global rules

Re: Yara not using global rules

Re: yara python callback function , slow performance

Re: determining which strings causes a rule to fail

Re: Yara needs overlay offset

Re: How about importing yara into kernel space ?

Re: How about importing yara into kernel space ?

Re: Yara - Bus error: 10

Re: [yara-python] How to get the rule name of every compiled rule?

Re: [yara-python] How to get the rule name of every compiled rule?

Re: No yara-python after make installing

36 matches

Site Navigation

Mail list logo

Footer information