Hi,
maybe I am wrong here, but the misc.yar rule you are including will only
match if there is only *one* newline in the file, so you currently would
not "require an actually large file that contains newlines", but a file
that has exactly one new line (and also is larger than the 8MB limit to be
able to verify the expected behavior). If the plural on "newlines" is a
typo, please disregard this message.
Best Regards,
Jonas Andradas.
On Wed, Aug 16, 2017 at 11:51 AM, necrophcodr <tcg.thega...@gmail.com>
wrote:
> Alright, so I've returned with a result:
>
> If I have `~/inc.yar` with the following content:
>
> ```
> include "./global.yar"
> include "./misc.yar"
> ```
>
> And the content of these files respectively:
>
> ```
> global rule fsL { condition: filesize < 8MB }
> ```
>
> And
>
> ```
> private rule newline_one {
> meta:
> description = "Files that contain one newline"
> author = "Steffen Rytter Postas"
>
> strings:
> $newline = "\n"
>
> condition:
> ( #newline == 1 )
> }
> ```
>
> Then the issue prevails.
>
> Note that this requires an actually large file that contains newlines.
> Doing `dd if=/dev/zero bs=4M count=250 of=file.bin` and scanning that won't
> yield usable results.
>
>
> Den onsdag den 16. august 2017 kl. 11.43.17 UTC+2 skrev necrophcodr:
>>
>> Hi Wesley,
>>
>> Sorry for the late reply, vacations and all.
>>
>> So first and foremost:
>>
>> `yara -v`
>> yara 3.5.0
>>
>> The files getting scanned are reporting ` internal error: 30` which I'm
>> reading to be due to files being too large. These files are often larger
>> than 500MB too, well above the 8MB margin.
>>
>> I've attempted to replicate it using my own instructions, coupled with
>> your misc.yar, and the result is that it works just fine.
>>
>> So I'm guessing the issue is with my own setup, and I'll continue
>> evaluating the specifics and return with a response when I've found the
>> culprit.
>>
>> Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
>>>
>>> I can't replicate this behavior using 3.5.0 or latest master.
>>>
>>> wxs@wxs-mbp yara % cat foo
>>> include "./global.yar"
>>> include "./misc.yar"
>>> wxs@wxs-mbp yara % cat global.yar
>>> global rule fileSizeLimit { condition: filesize < 1KB }
>>> wxs@wxs-mbp yara % cat misc.yar
>>> rule foo { condition: true }
>>> wxs@wxs-mbp yara % ls -l /bin/ls
>>> -rwxr-xr-x 1 root wheel 38624 Jul 15 00:29 /bin/ls*
>>> wxs@wxs-mbp yara % ./yara foo /bin/ls
>>> wxs@wxs-mbp yara %
>>>
>>> When you say regardless of file size are you sure you're above the 8MB?
>>> Keep in mind that 8MB is 8 * 1048576, which is 8388608.
>>>
>>> -- WXS
>>>
>>> > On Jul 28, 2017, at 7:01 AM, necrophcodr <tcg.th...@gmail.com> wrote:
>>> >
>>> > So I've got quite a few rules, but it all comes down to this:
>>> >
>>> > include "./rules/global.yar"
>>> > include "./rules/misc.yar"
>>> >
>>> >
>>> > The global.yar file contains
>>> >
>>> > global rule fileSizeLimit { condition: filesize < 8MB }
>>> >
>>> >
>>> > Any rule defined in rules/misc.yar are matched regardless of file
>>> size, but this is not what I intend. What am I doing wrong here?
>>> >
>>> > If this is not the right place to post, that's alright, feel free to
>>> slap me on the wrist and direct me to the correct location.
>>> >
>>> > edit:
>>> >
>>> > I should mention this is using Yara 3.5.0. I don't have a chance to
>>> upgrade this within the week.
>>> >
>>> >
>>> > --
>>> > You received this message because you are subscribed to the Google
>>> Groups "YARA" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to yara-project...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Jonás Andradas
GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F
3F7F 4D87 9996 E0C6 9372
Keyservers: pgp.mit.edu | pgp.rediris.es
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
