[Community-sigs] ClamAV YARA parsing

Thiago Alves thiagoralves at gmail.com
Thu Feb 25 16:56:50 UTC 2021 

One more question, the following string also had the same issue:
$a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
Is the ?? also breaking the string into sub-strings? That would be weird
because it accepted $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
?? ?? ?? 75 ?? } from the previous example just fine, and $b1 ends with ??
75 ??

On Thu, Feb 25, 2021 at 10:24 AM Thiago Alves <thiagoralves at gmail.com>
wrote:

> Hi Micah, thank you for your prompt response! I didn't realize that the
> ranges [ ] would break the strings into sub-strings. Now it is more
> clear. The solution your colleague proposed worked for me, so thanks again!
> I might create a python parser that "clamifies" YARA rules so that they are
> compliant with the 2 integral bytes sequence on sub-strings. This will make
> it easier to import YARA rules into clamav. If I end up doing that I'll
> share the script with the community.
>
> Thanks,
>
> Thiago Alves
>
> On Wed, Feb 24, 2021 at 5:13 PM Micah Snyder (micasnyd) <
> micasnyd at cisco.com> wrote:
>
>> Hi Thiago,
>>
>> I ran this by one of my teammates more versed in signature creation and
>> he immediately spotted the issue.  Unlike Yara, ClamAV signatures have a
>> restriction that subpatterns in a signature pattern must be at least 2
>> bytes long. In clamav, signature patterns are split into subpatterns with
>> the ranges like the "[1-4]" and "[0-3]" in your example.
>>
>> My teammate wrote:
>>
>> > We run into 'Can't find a static subpattern of length 2' when writing
>> regular ClamAV sigs more often than we'd like, and my understanding is that
>> it has to do with how Clam breaks up subsigs when the wildcard groups are
>> used... I think it splits the subsig into smaller subsigs, and if there
>> isn't at least a full two byte sequence on either side of the split subsig
>> the sig will fail to load.  A quick fix in this case is to just remove the
>> first wildcard capture group in $b, for example:
>> >
>> > rule TEST
>> > {
>> >    meta:
>> >        description = "Evaluate ClamAV YARA parsing"
>> >    strings:
>> >        $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
>> ?? 75 ?? }
>> >        $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ??
>> 75 ?? }
>> >        $b2 = { 8a ?4 c1 ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
>> ?? 75 ?? }
>> >        $b3 = { 8a ?4 c1 ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
>> ?? ?? 75 ?? }
>> >        $b4 = { 8a ?4 c1 ?? ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
>> ?? ?? ?? 75 ?? }
>> >    condition:
>> >        filesize < 4MB and any of them
>> > }
>>
>> I hope this helps.
>>
>> Best regards,
>> Micah
>>
>>
>> > -----Original Message-----
>> > From: Community-sigs <community-sigs-bounces at lists.clamav.net> On
>> > Behalf Of Thiago Alves
>> > Sent: Wednesday, February 24, 2021 8:33 AM
>> > To: community-sigs at lists.clamav.net
>> > Subject: [Community-sigs] ClamAV YARA parsing
>> >
>> > Hi all,
>> >
>> > I'm trying to evaluate ClamAV's ability to parse YARA rules correctly.
>> I've read
>> > the limitations on
>> https://www.clamav.net/documents/using-yara-rules-in-
>> > clamav but still I'm having a hard time understanding why the following
>> rule is
>> > not being
>> > accepted:
>> >
>> > rule TEST
>> > {
>> >     meta:
>> >         description = "Evaluate ClamAV YARA parsing"
>> >     strings:
>> >         $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
>> ??
>> > 75 ?? }
>> >         $b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
>> ??
>> > 75 ?? }
>> >     condition:
>> >         filesize < 4MB and ($a or $b)
>> > }
>> >
>> > For the rule above, string $a was accepted, while $b was not. This is
>> the error
>> > I'm getting on clamscan:
>> >
>> > LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of
>> length 2
>> > LibClamAV Error: cli_parse_add(): Problem adding signature (1).
>> > LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
>> > LibClamAV Warning: load_oneyara[verify]: recovered from database loading
>> > error LibClamAV Warning: load_oneyara[verify]: string failed test
>> insertion:
>> > $b LibClamAV Warning: load_oneyara: clamav cannot support 1 input
>> strings,
>> > skipping YARA.TEST
>> >
>> > Is this a bug or a limitation? I've tested this rule with other YARA
>> parsing scans
>> > with success, but I rather use ClamAV due to its superior engine.
>> >
>> >
>> > Thanks,
>> >
>> > Thiago Alves
>> > _______________________________________________
>> >
>> > Community-sigs mailing list
>> > Community-sigs at lists.clamav.net
>> > https://lists.clamav.net/mailman/listinfo/community-sigs
>> >
>> > http://www.clamav.net/contact.html#ml
>> _______________________________________________
>>
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>

More information about the Community-sigs mailing list