[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

Steve basford steveb_clamav at sanesecurity.com
Thu Aug 11 13:58:22 EDT 2016


This was on the blog....

YARA rules using any of the following features will be flagged in error, 
and the respective rules will be disabled:

Single byte YARA string components – currently in the ClamAV matcher, all 
strings, as well as components of strings delimited by wild cards, must be 
at least two bytes in length

External variables – variables referenced in YARA conditions whose value 
may be set using the ‘yara –d’ command line option.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 11 August 2016 18:33:49 Axb <axb.lists at gmail.com> wrote:

> In that post aithor states:
>
> "I created some YARA rules that use the external variable „filename“ to
> work. LOKI and THOR use the „filename“ and other external variables by
> default."
>
> hmm...  now how the heck do we get to happen with ClamAv? :)
>
> .. talking to myself...
>
>
> On 08/11/2016 07:29 PM, Axb wrote:
>> Found it!
>>
>> https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
>>
>>
>> see "rule Suspicious_Size_chrome_exe" and others...
>>
>> Assumed it was a "legal" keyword.
>>
>>
>> On 08/11/2016 07:26 PM, Axb wrote:
>>> I picked the filename condition from a sample rule on a web site with a
>>> number of yara rules.
>>> Too bad I didn't bookmark it...
>>>
>>> Will try to find it again.
>>>
>>>
>>> On 08/11/2016 05:08 PM, Steven Morgan wrote:
>>>> filename does not appear as a yara keyword:
>>>>
>>>> http://yara.readthedocs.io/en/latest/writingrules.html
>>>>
>>>> Is it a new keyword not yet in a released version of yara? Did you mean
>>>> filesize?
>>>>
>>>> On Thu, Aug 11, 2016 at 5:21 AM, Axb <axb.lists at gmail.com> wrote:
>>>>
>>>>> Guys,
>>>>>
>>>>> clamscan --database=test.yar blah.html
>>>>> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
>>>>> "filename"
>>>>> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
>>>>> error
>>>>> count 1
>>>>> test.yar: OK
>>>>> blah.html: OK
>>>>>
>>>>> test.yar
>>>>> rule TEST_BLAH_FILENAME
>>>>> {
>>>>>     strings:
>>>>>         $BLAH = "blah"
>>>>>          condition:
>>>>>          $BLAH and filename == "blah.html"
>>>>> }
>>>>>
>>>>> Am I missing something? or is filename unsupported by ClamAV's YARA
>>>>> engine?
>>>>>
>>>>> Thanks!
>>>>> Axb
>>>>> _______________________________________________
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>> _______________________________________________
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>
>>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml





More information about the clamav-users mailing list