[Community-sigs] ClamAV YARA parsing

Andrew Williams awillia2 at sourcefire.com
Thu Feb 25 17:35:00 UTC 2021 

Thiago,

That string won't get split into multiple subpatterns AFAIK but the need
for a full two-byte sequence still applies... { AA 72 ?? 75 ?? 6E ?? 41 ??
6C ?? 6C ?? 41 ?? 70 ?? 70 } should work, for instance, as should { 72 ??
75 ?? 6E ?? AA 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }.

-Andrew

On Thu, Feb 25, 2021 at 11:57 AM Thiago Alves <thiagoralves at gmail.com>
wrote:

> One more question, the following string also had the same issue:
> $a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
> Is the ?? also breaking the string into sub-strings? That would be weird
> because it accepted $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
> ?? ?? ?? 75 ?? } from the previous example just fine, and $b1 ends with ??
> 75 ??
>
> On Thu, Feb 25, 2021 at 10:24 AM Thiago Alves <thiagoralves at gmail.com>
> wrote:
>
> > Hi Micah, thank you for your prompt response! I didn't realize that the
> > ranges [ ] would break the strings into sub-strings. Now it is more
> > clear. The solution your colleague proposed worked for me, so thanks
> again!
> > I might create a python parser that "clamifies" YARA rules so that they
> are
> > compliant with the 2 integral bytes sequence on sub-strings. This will
> make
> > it easier to import YARA rules into clamav. If I end up doing that I'll
> > share the script with the community.
> >
> > Thanks,
> >
> > Thiago Alves
> >
> > On Wed, Feb 24, 2021 at 5:13 PM Micah Snyder (micasnyd) <
> > micasnyd at cisco.com> wrote:
> >
> >> Hi Thiago,
> >>
> >> I ran this by one of my teammates more versed in signature creation and
> >> he immediately spotted the issue.  Unlike Yara, ClamAV signatures have a
> >> restriction that subpatterns in a signature pattern must be at least 2
> >> bytes long. In clamav, signature patterns are split into subpatterns
> with
> >> the ranges like the "[1-4]" and "[0-3]" in your example.
> >>
> >> My teammate wrote:
> >>
> >> > We run into 'Can't find a static subpattern of length 2' when writing
> >> regular ClamAV sigs more often than we'd like, and my understanding is
> that
> >> it has to do with how Clam breaks up subsigs when the wildcard groups
> are
> >> used... I think it splits the subsig into smaller subsigs, and if there
> >> isn't at least a full two byte sequence on either side of the split
> subsig
> >> the sig will fail to load.  A quick fix in this case is to just remove
> the
> >> first wildcard capture group in $b, for example:
> >> >
> >> > rule TEST
> >> > {
> >> >    meta:
> >> >        description = "Evaluate ClamAV YARA parsing"
> >> >    strings:
> >> >        $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> >> ?? 75 ?? }
> >> >        $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> ??
> >> 75 ?? }
> >> >        $b2 = { 8a ?4 c1 ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> ??
> >> ?? 75 ?? }
> >> >        $b3 = { 8a ?4 c1 ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
> ??
> >> ?? ?? 75 ?? }
> >> >        $b4 = { 8a ?4 c1 ?? ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8
> 48
> >> ?? ?? ?? 75 ?? }
> >> >    condition:
> >> >        filesize < 4MB and any of them
> >> > }
> >>
> >> I hope this helps.
> >>
> >> Best regards,
> >> Micah
> >>
> >>
> >> > -----Original Message-----
> >> > From: Community-sigs <community-sigs-bounces at lists.clamav.net> On
> >> > Behalf Of Thiago Alves
> >> > Sent: Wednesday, February 24, 2021 8:33 AM
> >> > To: community-sigs at lists.clamav.net
> >> > Subject: [Community-sigs] ClamAV YARA parsing
> >> >
> >> > Hi all,
> >> >
> >> > I'm trying to evaluate ClamAV's ability to parse YARA rules correctly.
> >> I've read
> >> > the limitations on
> >> https://www.clamav.net/documents/using-yara-rules-in-
> >> > clamav but still I'm having a hard time understanding why the
> following
> >> rule is
> >> > not being
> >> > accepted:
> >> >
> >> > rule TEST
> >> > {
> >> >     meta:
> >> >         description = "Evaluate ClamAV YARA parsing"
> >> >     strings:
> >> >         $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> ??
> >> ??
> >> > 75 ?? }
> >> >         $b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> ??
> >> ??
> >> > 75 ?? }
> >> >     condition:
> >> >         filesize < 4MB and ($a or $b)
> >> > }
> >> >
> >> > For the rule above, string $a was accepted, while $b was not. This is
> >> the error
> >> > I'm getting on clamscan:
> >> >
> >> > LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of
> >> length 2
> >> > LibClamAV Error: cli_parse_add(): Problem adding signature (1).
> >> > LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
> >> > LibClamAV Warning: load_oneyara[verify]: recovered from database
> loading
> >> > error LibClamAV Warning: load_oneyara[verify]: string failed test
> >> insertion:
> >> > $b LibClamAV Warning: load_oneyara: clamav cannot support 1 input
> >> strings,
> >> > skipping YARA.TEST
> >> >
> >> > Is this a bug or a limitation? I've tested this rule with other YARA
> >> parsing scans
> >> > with success, but I rather use ClamAV due to its superior engine.
> >> >
> >> >
> >> > Thanks,
> >> >
> >> > Thiago Alves
> >> > _______________________________________________
> >> >
> >> > Community-sigs mailing list
> >> > Community-sigs at lists.clamav.net
> >> > https://lists.clamav.net/mailman/listinfo/community-sigs
> >> >
> >> > http://www.clamav.net/contact.html#ml
> >> _______________________________________________
> >>
> >> Community-sigs mailing list
> >> Community-sigs at lists.clamav.net
> >> https://lists.clamav.net/mailman/listinfo/community-sigs
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> >
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list