Hi!
The rule looks fine, except that there is another rule under "condition"
that is not shown (APT1_payloads). Apparently, your problem is related to
the number of nested "include" directives [1], which is currently set to 16
in Yara source code [2]. Maybe it's the way Cortex works I don't know but
I'd look at the rules and/or Cortex source code to make sure. ;-)
If you want to replicate the error, just try to use more than 16 "include"
directive with yara:
$ for i in {1..16}; do echo "include \"$(($i+1)).yar\"" > $i.yar; done
$ >17.yar
$ yara 1.yar 1.yar
16.yar(1): error: includes depth exceeded
Hope that helps.
[1] https://yara.readthedocs.io/en/latest/writingrules.html#including-files
[2]
https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/limits.h#L107
Att,
Fernando Mercês <https://twitter.com/mer0x36> | menteb.in
On Sat, Feb 29, 2020 at 7:17 AM Ed Qartah <[email protected]> wrote:
> Hi,
>
> I'm using Yara with Cortex. I'm not able to understand the reason behind
> this error. includes depth exceeded
>
> Invalid output
> Traceback (most recent call last):
> File "Yara/yara_analyzer.py", line 71, in <module>
> YaraAnalyzer().run()
> File "Yara/yara_analyzer.py", line 23, in __init__
> self.ruleset.append(yara.compile(rulepath))
> yara.SyntaxError:
> /opt/Cortex-Analyzers/analyzers/Yara/rules/research/APT1_aspnetreport.yar(1480):
> includes depth exceeded
>
>
>
> rule APT1_aspnetreport
>
> {
>
> meta:
>
> author = "AlienVault Labs"
>
> info = "CommentCrew-threat-apt1"
>
>
> strings:
>
> $url = "aspnet_client/report.asp" wide ascii
>
> $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
>
> condition:
>
> $url and $param and APT1_payloads
>
> }
>
>
> Any help is appreciated.
>
> Ayed
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/dbe9083b-f683-4c53-baf9-21949703b4f7%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/dbe9083b-f683-4c53-baf9-21949703b4f7%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/CAM7p17M8kLWT7_hgvtvNYR8NXmK8QmvNJAUhn1xD2uA9PY-vkw%40mail.gmail.com.
