Re: Yara not using global rules

Wed, 16 Aug 2017 02:43:53 -0700 

Hi Wesley,

Sorry for the late reply, vacations and all.

So first and foremost: 

`yara -v`
yara 3.5.0

The files getting scanned are reporting ` internal error: 30` which I'm 
reading to be due to files being too large. These files are often larger 
than 500MB too, well above the 8MB margin.

I've attempted to replicate it using my own instructions, coupled with your 
misc.yar, and the result is that it works just fine.

So I'm guessing the issue is with my own setup, and I'll continue 
evaluating the specifics and return with a response when I've found the 
culprit.

Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
>
> I can't replicate this behavior using 3.5.0 or latest master. 
>
> wxs@wxs-mbp yara % cat foo 
> include "./global.yar" 
> include "./misc.yar" 
> wxs@wxs-mbp yara % cat global.yar 
> global rule fileSizeLimit { condition: filesize < 1KB } 
> wxs@wxs-mbp yara % cat misc.yar 
> rule foo { condition: true } 
> wxs@wxs-mbp yara % ls -l /bin/ls 
> -rwxr-xr-x  1 root  wheel  38624 Jul 15 00:29 /bin/ls* 
> wxs@wxs-mbp yara % ./yara foo /bin/ls 
> wxs@wxs-mbp yara % 
>
> When you say regardless of file size are you sure you're above the 8MB? 
> Keep in mind that 8MB is 8 * 1048576, which is 8388608. 
>
> -- WXS 
>
> > On Jul 28, 2017, at 7:01 AM, necrophcodr <[email protected] 
> <javascript:>> wrote: 
> > 
> > So I've got quite a few rules, but it all comes down to this: 
> > 
> > include "./rules/global.yar" 
> > include "./rules/misc.yar" 
> > 
> > 
> > The global.yar file contains 
> > 
> > global rule fileSizeLimit { condition: filesize < 8MB } 
> > 
> > 
> > Any rule defined in rules/misc.yar are matched regardless of file size, 
> but this is not what I intend. What am I doing wrong here? 
> > 
> > If this is not the right place to post, that's alright, feel free to 
> slap me on the wrist and direct me to the correct location. 
> > 
> > edit: 
> > 
> > I should mention this is using Yara 3.5.0. I don't have a chance to 
> upgrade this within the week. 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "YARA" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to