[Community-sigs] ClamAV YARA parsing

Thiago Alves thiagoralves at gmail.com
Thu Feb 25 15:24:38 UTC 2021 

Hi Micah, thank you for your prompt response! I didn't realize that the
ranges [ ] would break the strings into sub-strings. Now it is more
clear. The solution your colleague proposed worked for me, so thanks again!
I might create a python parser that "clamifies" YARA rules so that they are
compliant with the 2 integral bytes sequence on sub-strings. This will make
it easier to import YARA rules into clamav. If I end up doing that I'll
share the script with the community.

Thanks,

Thiago Alves

On Wed, Feb 24, 2021 at 5:13 PM Micah Snyder (micasnyd) <micasnyd at cisco.com>
wrote:

> Hi Thiago,
>
> I ran this by one of my teammates more versed in signature creation and he
> immediately spotted the issue.  Unlike Yara, ClamAV signatures have a
> restriction that subpatterns in a signature pattern must be at least 2
> bytes long. In clamav, signature patterns are split into subpatterns with
> the ranges like the "[1-4]" and "[0-3]" in your example.
>
> My teammate wrote:
>
> > We run into 'Can't find a static subpattern of length 2' when writing
> regular ClamAV sigs more often than we'd like, and my understanding is that
> it has to do with how Clam breaks up subsigs when the wildcard groups are
> used... I think it splits the subsig into smaller subsigs, and if there
> isn't at least a full two byte sequence on either side of the split subsig
> the sig will fail to load.  A quick fix in this case is to just remove the
> first wildcard capture group in $b, for example:
> >
> > rule TEST
> > {
> >    meta:
> >        description = "Evaluate ClamAV YARA parsing"
> >    strings:
> >        $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> ?? 75 ?? }
> >        $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
> 75 ?? }
> >        $b2 = { 8a ?4 c1 ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> ?? 75 ?? }
> >        $b3 = { 8a ?4 c1 ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> ?? ?? 75 ?? }
> >        $b4 = { 8a ?4 c1 ?? ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
> ?? ?? ?? 75 ?? }
> >    condition:
> >        filesize < 4MB and any of them
> > }
>
> I hope this helps.
>
> Best regards,
> Micah
>
>
> > -----Original Message-----
> > From: Community-sigs <community-sigs-bounces at lists.clamav.net> On
> > Behalf Of Thiago Alves
> > Sent: Wednesday, February 24, 2021 8:33 AM
> > To: community-sigs at lists.clamav.net
> > Subject: [Community-sigs] ClamAV YARA parsing
> >
> > Hi all,
> >
> > I'm trying to evaluate ClamAV's ability to parse YARA rules correctly.
> I've read
> > the limitations on https://www.clamav.net/documents/using-yara-rules-in-
> > clamav but still I'm having a hard time understanding why the following
> rule is
> > not being
> > accepted:
> >
> > rule TEST
> > {
> >     meta:
> >         description = "Evaluate ClamAV YARA parsing"
> >     strings:
> >         $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> ??
> > 75 ?? }
> >         $b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> ??
> > 75 ?? }
> >     condition:
> >         filesize < 4MB and ($a or $b)
> > }
> >
> > For the rule above, string $a was accepted, while $b was not. This is
> the error
> > I'm getting on clamscan:
> >
> > LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of length
> 2
> > LibClamAV Error: cli_parse_add(): Problem adding signature (1).
> > LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
> > LibClamAV Warning: load_oneyara[verify]: recovered from database loading
> > error LibClamAV Warning: load_oneyara[verify]: string failed test
> insertion:
> > $b LibClamAV Warning: load_oneyara: clamav cannot support 1 input
> strings,
> > skipping YARA.TEST
> >
> > Is this a bug or a limitation? I've tested this rule with other YARA
> parsing scans
> > with success, but I rather use ClamAV due to its superior engine.
> >
> >
> > Thanks,
> >
> > Thiago Alves
> > _______________________________________________
> >
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list