[clamav-users] YARA: filesize condition
Paul Kosinski
clamav-users at iment.com
Thu Jun 30 18:27:40 UTC 2016
On Thu, 30 Jun 2016 11:26:07 -0400
Steven Morgan <smorgan at sourcefire.com> wrote:
> On Thu, Jun 30, 2016 at 10:06 AM, Axb <axb.lists at gmail.com> wrote:
>
> >
> > When trying to use filesize conidtion in a Yara sig
> >
> > rule FileSize_200KB
> > {
> > condition:
> > filesize < 200KB
> > }
> >
> >
> Hi,
>
> That is correct. ClamAV uses matching of yara strings to drive the
> yara condition. filesize will work in a yara condition in ClamAV, but
> only when there is a string match. I'd suppose something like this
> should work:
>
> rule Filesize_200KB
> {
> strings:
> $abc = "abc"
>
> condition:
> ($abc and not $abc) and filesize < 200KB
> }
>
>
> Steve
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Shouldn't exactly one 'and' be an 'or' in:
"($abc and not $abc) and filesize < 200KB"
More information about the clamav-users
mailing list