You're correct, thanks for the correction. Still, the point stands.
Den onsdag den 16. august 2017 kl. 12.26.18 UTC+2 skrev Jonás Andradas:
>
> Hi,
>
> maybe I am wrong here, but the misc.yar rule you are including will only
> match if there is only *one* newline in the file, so you currently would
> not "require an actually large file that contains newlines", but a file
> that has exactly one new line (and also is larger than the 8MB limit to be
> able to verify the expected behavior). If the plural on "newlines" is a
> typo, please disregard this message.
>
> Best Regards,
> Jonas Andradas.
>
> On Wed, Aug 16, 2017 at 11:51 AM, necrophcodr <tcg.th...@gmail.com
> <javascript:>> wrote:
>
>> Alright, so I've returned with a result:
>>
>> If I have `~/inc.yar` with the following content:
>>
>> ```
>> include "./global.yar"
>> include "./misc.yar"
>> ```
>>
>> And the content of these files respectively:
>>
>> ```
>> global rule fsL { condition: filesize < 8MB }
>> ```
>>
>> And
>>
>> ```
>> private rule newline_one {
>> meta:
>> description = "Files that contain one newline"
>> author = "Steffen Rytter Postas"
>>
>> strings:
>> $newline = "\n"
>>
>> condition:
>> ( #newline == 1 )
>> }
>> ```
>>
>> Then the issue prevails.
>>
>> Note that this requires an actually large file that contains newlines.
>> Doing `dd if=/dev/zero bs=4M count=250 of=file.bin` and scanning that won't
>> yield usable results.
>>
>>
>> Den onsdag den 16. august 2017 kl. 11.43.17 UTC+2 skrev necrophcodr:
>>>
>>> Hi Wesley,
>>>
>>> Sorry for the late reply, vacations and all.
>>>
>>> So first and foremost:
>>>
>>> `yara -v`
>>> yara 3.5.0
>>>
>>> The files getting scanned are reporting ` internal error: 30` which I'm
>>> reading to be due to files being too large. These files are often larger
>>> than 500MB too, well above the 8MB margin.
>>>
>>> I've attempted to replicate it using my own instructions, coupled with
>>> your misc.yar, and the result is that it works just fine.
>>>
>>> So I'm guessing the issue is with my own setup, and I'll continue
>>> evaluating the specifics and return with a response when I've found the
>>> culprit.
>>>
>>> Den mandag den 7. august 2017 kl. 16.06.59 UTC+2 skrev Wesley Shields:
>>>>
>>>> I can't replicate this behavior using 3.5.0 or latest master.
>>>>
>>>> wxs@wxs-mbp yara % cat foo
>>>> include "./global.yar"
>>>> include "./misc.yar"
>>>> wxs@wxs-mbp yara % cat global.yar
>>>> global rule fileSizeLimit { condition: filesize < 1KB }
>>>> wxs@wxs-mbp yara % cat misc.yar
>>>> rule foo { condition: true }
>>>> wxs@wxs-mbp yara % ls -l /bin/ls
>>>> -rwxr-xr-x 1 root wheel 38624 Jul 15 00:29 /bin/ls*
>>>> wxs@wxs-mbp yara % ./yara foo /bin/ls
>>>> wxs@wxs-mbp yara %
>>>>
>>>> When you say regardless of file size are you sure you're above the 8MB?
>>>> Keep in mind that 8MB is 8 * 1048576, which is 8388608.
>>>>
>>>> -- WXS
>>>>
>>>> > On Jul 28, 2017, at 7:01 AM, necrophcodr <tcg.th...@gmail.com>
>>>> wrote:
>>>> >
>>>> > So I've got quite a few rules, but it all comes down to this:
>>>> >
>>>> > include "./rules/global.yar"
>>>> > include "./rules/misc.yar"
>>>> >
>>>> >
>>>> > The global.yar file contains
>>>> >
>>>> > global rule fileSizeLimit { condition: filesize < 8MB }
>>>> >
>>>> >
>>>> > Any rule defined in rules/misc.yar are matched regardless of file
>>>> size, but this is not what I intend. What am I doing wrong here?
>>>> >
>>>> > If this is not the right place to post, that's alright, feel free to
>>>> slap me on the wrist and direct me to the correct location.
>>>> >
>>>> > edit:
>>>> >
>>>> > I should mention this is using Yara 3.5.0. I don't have a chance to
>>>> upgrade this within the week.
>>>> >
>>>> >
>>>> > --
>>>> > You received this message because you are subscribed to the Google
>>>> Groups "YARA" group.
>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>> send an email to yara-project...@googlegroups.com.
>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to yara-project...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Jonás Andradas
>
> GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F
> 3F7F 4D87 9996 E0C6 9372
> Keyservers: pgp.mit.edu | pgp.rediris.es
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
