Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi Richard,
Yes. I tried with options: --normalize=no and /or --allmatch
But no change.
Thanks,
Zvi
On 8/23/2021 9:13 AM, Paul Kosinski via
clamav-users wrote:
On Sun, 22 Aug 2021 20:10:00 +0100 (BST)
"G.W. Haywood via clamav-users" wrote:
Hi there,
On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
... my advice is not to try anything fancy ...
I understand that I have to be patient.
I'm wondering if the --allmatch option/switch is useful here.
Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
necessarily produce a match (one which ClamAV would report as FOUND)
even if there are strings in the Yara rules which _do_ in fact match.
The point is that you can (or should be able to) tell Yara things like
"count the number of times the string is found in the text, and report
if there are more than 23 of them". This sort of thing will sometimes
work with the Yara engine in ClamAV, but my experience is that it's at
the fancy end of the scale and I've spent hours trying to get things
to work which would seem to be trivial exercises in regexes and logic.
Maybe ClamAV should support plugins, rather than being constrained to what's compiled in. (There are, of course, various plugins that invoke ClamAV, but that's not what I mean.)
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
On Sun, 22 Aug 2021 20:10:00 +0100 (BST)
"G.W. Haywood via clamav-users" wrote:
> Hi there,
>
> On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
> > On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
> >> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
> >>> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
> find only first 9-digit match in file.
> This spoils my logic ...
> >>>
> >>> ... my advice is not to try anything fancy ...
> >>
> >> I understand that I have to be patient.
> >
> > I'm wondering if the --allmatch option/switch is useful here.
>
> Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
> necessarily produce a match (one which ClamAV would report as FOUND)
> even if there are strings in the Yara rules which _do_ in fact match.
> The point is that you can (or should be able to) tell Yara things like
> "count the number of times the string is found in the text, and report
> if there are more than 23 of them". This sort of thing will sometimes
> work with the Yara engine in ClamAV, but my experience is that it's at
> the fancy end of the scale and I've spent hours trying to get things
> to work which would seem to be trivial exercises in regexes and logic.
Maybe ClamAV should support plugins, rather than being constrained to what's
compiled in. (There are, of course, various plugins that invoke ClamAV, but
that's not what I mean.)
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi,
Very interesting! Thanks!
R
On Sun, Aug 22, 2021 at 9:10 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
> > On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
> >> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
> >>> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
> find only first 9-digit match in file.
> This spoils my logic ...
> >>>
> >>> ... my advice is not to try anything fancy ...
> >>
> >> I understand that I have to be patient.
> >
> > I'm wondering if the --allmatch option/switch is useful here.
>
> Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
> necessarily produce a match (one which ClamAV would report as FOUND)
> even if there are strings in the Yara rules which _do_ in fact match.
> The point is that you can (or should be able to) tell Yara things like
> "count the number of times the string is found in the text, and report
> if there are more than 23 of them". This sort of thing will sometimes
> work with the Yara engine in ClamAV, but my experience is that it's at
> the fancy end of the scale and I've spent hours trying to get things
> to work which would seem to be trivial exercises in regexes and logic.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi there,
On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
... my advice is not to try anything fancy ...
I understand that I have to be patient.
I'm wondering if the --allmatch option/switch is useful here.
Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
necessarily produce a match (one which ClamAV would report as FOUND)
even if there are strings in the Yara rules which _do_ in fact match.
The point is that you can (or should be able to) tell Yara things like
"count the number of times the string is found in the text, and report
if there are more than 23 of them". This sort of thing will sometimes
work with the Yara engine in ClamAV, but my experience is that it's at
the fancy end of the scale and I've spent hours trying to get things
to work which would seem to be trivial exercises in regexes and logic.
--
73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi,
I'm wondering if the --allmatch option/switch is useful here.
Regards,
R
On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi Ged,
>
>
> Sorry. I hope you have some hair yet.
>
> I understand that I have to be patient.
>
>
> Thank you,
>
>
> Zvi
>
>
> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
>
> Hi there,
>
> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
>
> find only first 9-digit match in file.
>
> This spoils my logic ...
>
>
> After tearing out most of what remains of my hair over Yara rules in
> ClamAV, my advice is not to try anything fancy until the Yara engine
> is completely replaced. My list of the faults in it keeps on growing,
> and AFAICT there's no prospect of any attention being paid to them in
> the foreseeable future. As you have seen there are reports going back
> years. If I had time I'd do it myself, but I don't. I've reached the
> point where I code Yara rules in as simple a way as I possibly can and
> every time I add a new rule or modify an existing one I hope not to
> find another fault in the engine. Sometimes I've spent hours trying
> to get it to do a single match correctly and finally given up. It's a
> terrible shame, because (here at least) Yara rules by a very long way
> find more spam and malicious mail content than anything else:
>
> $ grep FOUND /var/log/mail.debug | wc -l
> 60072
> $ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
> 11530
> $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc -l
> 2876
> $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\|UNOFFICIAL\)'
> | wc -l
> 20
> $
>
> This is a single mail server, approximately 19 days of August 2021.
> I'd consider it a low-volume site. For whatever reasons we see very
> little malicious mail, rarely more than two or three items of malware
> in a typical day, but quite a lot of spam. I don't know how this
> compares with the experience of other people here on the list.
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi Ged,
Sorry. I hope you have some hair yet.
I understand that I have to be patient.
Thank you,
Zvi
On 8/19/2021 9:33 PM, G.W. Haywood via
clamav-users wrote:
Hi
there,
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re =
/[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
After tearing out most of what remains of my hair over Yara rules
in
ClamAV, my advice is not to try anything fancy until the Yara
engine
is completely replaced. My list of the faults in it keeps on
growing,
and AFAICT there's no prospect of any attention being paid to them
in
the foreseeable future. As you have seen there are reports going
back
years. If I had time I'd do it myself, but I don't. I've reached
the
point where I code Yara rules in as simple a way as I possibly can
and
every time I add a new rule or modify an existing one I hope not
to
find another fault in the engine. Sometimes I've spent hours
trying
to get it to do a single match correctly and finally given up.
It's a
terrible shame, because (here at least) Yara rules by a very long
way
find more spam and malicious mail content than anything else:
$ grep FOUND /var/log/mail.debug | wc -l
60072
$ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
11530
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc
-l
2876
$ grep FOUND /var/log/mail.debug | grep -v
'\(YARA\|MANUAL\|UNOFFICIAL\)' | wc -l
20
$
This is a single mail server, approximately 19 days of August
2021.
I'd consider it a low-volume site. For whatever reasons we see
very
little malicious mail, rarely more than two or three items of
malware
in a typical day, but quite a lot of spam. I don't know how this
compares with the experience of other people here on the list.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi there,
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
After tearing out most of what remains of my hair over Yara rules in
ClamAV, my advice is not to try anything fancy until the Yara engine
is completely replaced. My list of the faults in it keeps on growing,
and AFAICT there's no prospect of any attention being paid to them in
the foreseeable future. As you have seen there are reports going back
years. If I had time I'd do it myself, but I don't. I've reached the
point where I code Yara rules in as simple a way as I possibly can and
every time I add a new rule or modify an existing one I hope not to
find another fault in the engine. Sometimes I've spent hours trying
to get it to do a single match correctly and finally given up. It's a
terrible shame, because (here at least) Yara rules by a very long way
find more spam and malicious mail content than anything else:
$ grep FOUND /var/log/mail.debug | wc -l
60072
$ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
11530
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc -l
2876
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\|UNOFFICIAL\)' | wc
-l
20
$
This is a single mail server, approximately 19 days of August 2021.
I'd consider it a low-volume site. For whatever reasons we see very
little malicious mail, rarely more than two or three items of malware
in a typical day, but quite a lot of spam. I don't know how this
compares with the experience of other people here on the list.
--
73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi,
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic in condition: for 3 i in (1..#re) ...
Only this works: for 1 i in (1..#re) ...
I found that this issue was already reported in 2015.
Is there any way to convince ClamAV to match more as usual ?
Regards,
Zvi
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
