[clamav-users] Strange problem with custom Yara rule

[kionez]

#include <Steven Morgan.h>    // created 13/04/2016 16:37
> Hi,
> 
> The first question is: Do you have pcre installed and was it found by
> ClamAV .\configure? 

[cut]

Ops, I forgot to mention my system configuration.. sorry.

I'm using it on my antispam server with Debian Jessie (with clamav
0.99+dfsg-0+deb8u2 and libpcre3 8.35-3.3+deb8u4 ) and also testing on my
laptop with Arch linux (clamav 0.99.1-2 and pcre 8.38-3). I try to
recompile clamav on my laptop and it founds pcre in /usr, as expected.

I think that pcre works fine, because I can match patterns on email's
content, but not in email headers (i.e.: X-Mailer:, From: etc)

I try to explain with an example, on http://pastebin.com/gixrDAXq you
should find the 3 file used (a simple email and two custom ruleset)

using rules from Yara:

$ yara -s test_header.yara test.eml
Header_string test.eml
0x1f1:$match: pass
0x2a2:$match: pass
Header_Regex test.eml
0x1f1:$match: pass
0x2a2:$match: pass

$ yara -s test_body.yara test.eml
Body_string test.eml
0x440:$match: test mailing
Body_Regex test.eml
0x440:$match: test mailing

using rules from clamav:

$ clamscan --no-summary -d test_header.yara -z test.eml
test.eml: YARA.Header_string.UNOFFICIAL FOUND

$ clamscan --no-summary -d test_body.yara -z test.eml
test.eml: YARA.Body_string.UNOFFICIAL FOUND
test.eml: YARA.Body_Regex.UNOFFICIAL FOUND

I think that test_header.yara have to match the "pass" string in header
part with that simple regex. I'm trying to debug it but my code
knowledge is limited, it seems that every time a regex is used the
header part is not parsed by clamav (also if I use a "string" rule with
a "regex" rule, ie: $match_string and $match_regex)


k.