[clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
Kris Deugau
kdeugau at vianet.ca
Fri Mar 16 13:50:09 UTC 2018
Mark Fortescue wrote:
> Hi
>
> I know nothing about YARA but you could try escaping the hash in case it
> is being treated as a comment line.
>
> e.g \#a > 1
The comment metasymbol for Yara rules is "//", but I tried this anyway
as a long shot:
$ clamscan -d foo.yar
LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\'
LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error
count 1
pretty much as expected.
The rule is syntactically correct, otherwise Clam would throw a fit.
The ClamAV signature-writing guide makes no mention of this Yara feature
being disabled, limited, or otherwise not implemented to match the Yara
docs from http://yara.readthedocs.io/en/v3.5.0/; it *does* mention some
other specific limits so I would assume this should be working.
I don't think this is related to Clam's requirement for two-byte fixed
references in patterns in all other pattern-matching signature types,
since I have another Yara rule for a series of obfuscated Javascript
that uses a similar type of regex pattern.
-kgd
>
> Regards
> Mark.
>
> On 14/03/18 20:47, Kris Deugau wrote:
>> I'm still chasing signatures for a certain class of (very) oversized
>> spam with malformed HTML. I've found an issue that is either an
>> implementation limit or a bug in ClamAV's handling of Yara rules.
>>
>> I've narrowed it down to an issue with the "#" condition variant.
>>
>> For a rule like so:
>>
>> rule badstyle {
>> strings:
>> $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
>> condition:
>> #a > 1
>> }
>>
>> and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
>> the message. (Note, this isn't what I'd use as a live signature!)
>>
>> If I change the condition to "$a" instead, it flags the message, so the
>> expression for $a is valid and correct.
>>
>> Since this particular series of spams will require "#a > 100" (or higher
>> counts) for safety, and none of the other signature types lend
>> themselves very well to this particular type of pattern matching, I'm
>> unable to use just a few signatures as above. Instead I've been using a
>> crude workaround of setting up closing-on-hundreds of very similar
>> logical signatures, or an extended list of 3-6 hex-coded character
>> sequences in a single logical signature.
>>
>> -kgd
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list