[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

Axb axb.lists at gmail.com
Thu Aug 11 13:29:13 EDT 2016


Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/

see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.


On 08/11/2016 07:26 PM, Axb wrote:
> I picked the filename condition from a sample rule on a web site with a
> number of yara rules.
> Too bad I didn't bookmark it...
>
> Will try to find it again.
>
>
> On 08/11/2016 05:08 PM, Steven Morgan wrote:
>> filename does not appear as a yara keyword:
>>
>> http://yara.readthedocs.io/en/latest/writingrules.html
>>
>> Is it a new keyword not yet in a released version of yara? Did you mean
>> filesize?
>>
>> On Thu, Aug 11, 2016 at 5:21 AM, Axb <axb.lists at gmail.com> wrote:
>>
>>> Guys,
>>>
>>> clamscan --database=test.yar blah.html
>>> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
>>> "filename"
>>> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
>>> error
>>> count 1
>>> test.yar: OK
>>> blah.html: OK
>>>
>>> test.yar
>>> rule TEST_BLAH_FILENAME
>>> {
>>>     strings:
>>>         $BLAH = "blah"
>>>          condition:
>>>          $BLAH and filename == "blah.html"
>>> }
>>>
>>> Am I missing something? or is filename unsupported by ClamAV's YARA
>>> engine?
>>>
>>> Thanks!
>>> Axb
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>




More information about the clamav-users mailing list