Alright, so I've returned with a result:
If I have `~/inc.yar` with the following content:
```
include "./global.yar"
include "./misc.yar"
```
And the content of these files respectively:
```
global rule fsL { condition: filesize < 8MB }
```
And
```
private rule newline_one {
meta:
description = "Files that contain one newline"
author = "Steffen Rytter Postas"
strings:
$newline = "\n"
condition:
( #newline == 1 )
}
```
Then the issue prevails.
Note that this requires an actually large file that contains newlines.
Doing `dd if=/dev/zero bs=4M count=250 of=file.bin` and scanning that won't
yield usable results.
Den onsdag den 16. august 2017 kl. 11.43.17 UTC+2 skrev necrophcodr:
>
> Hi Wesley,
>
> Sorry for the late reply, vacations and all.
>
> So first and foremost:
>
> `yara -v`
> yara 3.5.0
>
> The files getting scanned are reporting ` internal error: 30` which I'm
> reading to be due to files being too large. These files are often larger
> than 500MB too, well above the 8MB margin.
>
> I've attempted to replicate it using my own instructions, coupled with
> your misc.yar, and the result is that it works just fine.
>
> So I'm guessing the issue is with my own setup, and I'll continue
> evaluating the specifics and return with a response when I've found the
> culprit.
>
> Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
>>
>> I can't replicate this behavior using 3.5.0 or latest master.
>>
>> wxs@wxs-mbp yara % cat foo
>> include "./global.yar"
>> include "./misc.yar"
>> wxs@wxs-mbp yara % cat global.yar
>> global rule fileSizeLimit { condition: filesize < 1KB }
>> wxs@wxs-mbp yara % cat misc.yar
>> rule foo { condition: true }
>> wxs@wxs-mbp yara % ls -l /bin/ls
>> -rwxr-xr-x 1 root wheel 38624 Jul 15 00:29 /bin/ls*
>> wxs@wxs-mbp yara % ./yara foo /bin/ls
>> wxs@wxs-mbp yara %
>>
>> When you say regardless of file size are you sure you're above the 8MB?
>> Keep in mind that 8MB is 8 * 1048576, which is 8388608.
>>
>> -- WXS
>>
>> > On Jul 28, 2017, at 7:01 AM, necrophcodr <[email protected]> wrote:
>> >
>> > So I've got quite a few rules, but it all comes down to this:
>> >
>> > include "./rules/global.yar"
>> > include "./rules/misc.yar"
>> >
>> >
>> > The global.yar file contains
>> >
>> > global rule fileSizeLimit { condition: filesize < 8MB }
>> >
>> >
>> > Any rule defined in rules/misc.yar are matched regardless of file size,
>> but this is not what I intend. What am I doing wrong here?
>> >
>> > If this is not the right place to post, that's alright, feel free to
>> slap me on the wrist and direct me to the correct location.
>> >
>> > edit:
>> >
>> > I should mention this is using Yara 3.5.0. I don't have a chance to
>> upgrade this within the week.
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "YARA" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
