[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

Axb axb.lists at gmail.com
Thu Aug 11 13:32:49 EDT 2016


In that post aithor states:

"I created some YARA rules that use the external variable „filename“ to 
work. LOKI and THOR use the „filename“ and other external variables by 
default."

hmm...  now how the heck do we get to happen with ClamAv? :)

.. talking to myself...


On 08/11/2016 07:29 PM, Axb wrote:
> Found it!
>
> https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
>
>
> see "rule Suspicious_Size_chrome_exe" and others...
>
> Assumed it was a "legal" keyword.
>
>
> On 08/11/2016 07:26 PM, Axb wrote:
>> I picked the filename condition from a sample rule on a web site with a
>> number of yara rules.
>> Too bad I didn't bookmark it...
>>
>> Will try to find it again.
>>
>>
>> On 08/11/2016 05:08 PM, Steven Morgan wrote:
>>> filename does not appear as a yara keyword:
>>>
>>> http://yara.readthedocs.io/en/latest/writingrules.html
>>>
>>> Is it a new keyword not yet in a released version of yara? Did you mean
>>> filesize?
>>>
>>> On Thu, Aug 11, 2016 at 5:21 AM, Axb <axb.lists at gmail.com> wrote:
>>>
>>>> Guys,
>>>>
>>>> clamscan --database=test.yar blah.html
>>>> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
>>>> "filename"
>>>> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
>>>> error
>>>> count 1
>>>> test.yar: OK
>>>> blah.html: OK
>>>>
>>>> test.yar
>>>> rule TEST_BLAH_FILENAME
>>>> {
>>>>     strings:
>>>>         $BLAH = "blah"
>>>>          condition:
>>>>          $BLAH and filename == "blah.html"
>>>> }
>>>>
>>>> Am I missing something? or is filename unsupported by ClamAV's YARA
>>>> engine?
>>>>
>>>> Thanks!
>>>> Axb
>>>> _______________________________________________
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>





More information about the clamav-users mailing list