[clamav-users] YARA: filesize condition
Steven Morgan
smorgan at sourcefire.com
Thu Jun 30 15:26:07 UTC 2016
On Thu, Jun 30, 2016 at 10:06 AM, Axb <axb.lists at gmail.com> wrote:
>
> When trying to use filesize conidtion in a Yara sig
>
> rule FileSize_200KB
> {
> condition:
> filesize < 200KB
> }
>
>
Hi,
That is correct. ClamAV uses matching of yara strings to drive the yara
condition. filesize will work in a yara condition in ClamAV, but only when
there is a string match. I'd suppose something like this should work:
rule Filesize_200KB
{
strings:
$abc = "abc"
condition:
($abc and not $abc) and filesize < 200KB
}
Steve
More information about the clamav-users
mailing list