[clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!
Steven Morgan
smorgan at sourcefire.com
Thu Jun 11 15:36:51 UTC 2015
Steve
Here is a quick demo for your question. The file names in this test are the
same as the file content:
rule basford
{
strings:
$match1 = "bbb"
$ignore1 = "nnnnn"
$ignore2 = "zbcz"
condition:
$match1 and not ($ignore1 or $ignore2)
}
smorgan at ubuntu:~/work/yara$ clamscan -d simple/basford.yar sample/
sample/zzabczqxyzfghiabcxyzaaaaxyzbbbbbb: basford.UNOFFICIAL FOUND
sample/bbbzzabczqxyzfghiabcxyzaaaaxyzbbbbbbmmm~: basford.UNOFFICIAL FOUND
sample/bbbzzabczqxyzfghiabcxyzaaaaxyzbbb1bbbmmm: basford.UNOFFICIAL FOUND
sample/zzbczqxyzfghiacxyzaaaaxyzbbbbbbmmm987987nnnnn9078: OK
sample/zzabczqxyzfghiabcxyzaaaaxyzbbbbbbmmm: basford.UNOFFICIAL FOUND
sample/bbbzzabczqxyzfghiabcxyzaaaaxyzbbbbbbmmm: basford.UNOFFICIAL FOUND
sample/zzabczqxyzfghiabcxyzaaaaxyzbbbbbbmmm987987nnnnn9078: OK
Looks good to me, hope this helps,
Steve
On Thu, Jun 11, 2015 at 11:00 AM, Steve Basford <
steveb_clamav at sanesecurity.com> wrote:
>
> On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote:
> >
> > We've borrowed the yacc/lex code from yara project.
>
> Hi,
>
> Does that mean ClamAV will support this condition in the current beta:
>
> $match1 and not ($ignore1 or $ignore2)
>
> I'll wait to test once windows binary beta arrives... or find a bit
> of time to fire up a linux vm.
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list