[Community-sigs] ClamAV YARA parsing

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Feb 24 22:13:20 UTC 2021 

Hi Thiago,

I ran this by one of my teammates more versed in signature creation and he immediately spotted the issue.  Unlike Yara, ClamAV signatures have a restriction that subpatterns in a signature pattern must be at least 2 bytes long. In clamav, signature patterns are split into subpatterns with the ranges like the "[1-4]" and "[0-3]" in your example.

My teammate wrote:

> We run into 'Can't find a static subpattern of length 2' when writing regular ClamAV sigs more often than we'd like, and my understanding is that it has to do with how Clam breaks up subsigs when the wildcard groups are used... I think it splits the subsig into smaller subsigs, and if there isn't at least a full two byte sequence on either side of the split subsig the sig will fail to load.  A quick fix in this case is to just remove the first wildcard capture group in $b, for example:
> 
> rule TEST 
> {
>    meta:
>        description = "Evaluate ClamAV YARA parsing"
>    strings:
>        $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
>        $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
>        $b2 = { 8a ?4 c1 ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
>        $b3 = { 8a ?4 c1 ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
>        $b4 = { 8a ?4 c1 ?? ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
>    condition:
>        filesize < 4MB and any of them
> }

I hope this helps.

Best regards,
Micah


> -----Original Message-----
> From: Community-sigs <community-sigs-bounces at lists.clamav.net> On
> Behalf Of Thiago Alves
> Sent: Wednesday, February 24, 2021 8:33 AM
> To: community-sigs at lists.clamav.net
> Subject: [Community-sigs] ClamAV YARA parsing
> 
> Hi all,
> 
> I'm trying to evaluate ClamAV's ability to parse YARA rules correctly. I've read
> the limitations on https://www.clamav.net/documents/using-yara-rules-in-
> clamav but still I'm having a hard time understanding why the following rule is
> not being
> accepted:
> 
> rule TEST
> {
>     meta:
>         description = "Evaluate ClamAV YARA parsing"
>     strings:
>         $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
> 75 ?? }
>         $b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
> 75 ?? }
>     condition:
>         filesize < 4MB and ($a or $b)
> }
> 
> For the rule above, string $a was accepted, while $b was not. This is the error
> I'm getting on clamscan:
> 
> LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of length 2
> LibClamAV Error: cli_parse_add(): Problem adding signature (1).
> LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
> LibClamAV Warning: load_oneyara[verify]: recovered from database loading
> error LibClamAV Warning: load_oneyara[verify]: string failed test insertion:
> $b LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings,
> skipping YARA.TEST
> 
> Is this a bug or a limitation? I've tested this rule with other YARA parsing scans
> with success, but I rather use ClamAV due to its superior engine.
> 
> 
> Thanks,
> 
> Thiago Alves
> _______________________________________________
> 
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
> 
> http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list