[Community-sigs] ClamAV YARA parsing

Thiago Alves thiagoralves at gmail.com
Fri Feb 26 16:05:57 UTC 2021 

That makes total sense. I thought that the string only had to have 2 bytes
on it, but now I see that they can't be separated by wildcards. Ok so as
long as I have at least one two-byte sequence on the string I'm golden.
Perfect! Thanks guys!

On Thu, Feb 25, 2021 at 12:35 PM Andrew Williams <awillia2 at sourcefire.com>
wrote:

> Thiago,
>
> That string won't get split into multiple subpatterns AFAIK but the need
> for a full two-byte sequence still applies... { AA 72 ?? 75 ?? 6E ?? 41 ??
> 6C ?? 6C ?? 41 ?? 70 ?? 70 } should work, for instance, as should { 72 ??
> 75 ?? 6E ?? AA 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }.
>
> -Andrew
>
> On Thu, Feb 25, 2021 at 11:57 AM Thiago Alves <thiagoralves at gmail.com>
> wrote:
>
> > One more question, the following string also had the same issue:
> > $a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
> > Is the ?? also breaking the string into sub-strings? That would be weird
> > because it accepted $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8
> 48
> > ?? ?? ?? 75 ?? } from the previous example just fine, and $b1 ends with
> ??
> > 75 ??
> >
> > On Thu, Feb 25, 2021 at 10:24 AM Thiago Alves <thiagoralves at gmail.com>
> > wrote:
> >
> > > Hi Micah, thank you for your prompt response! I didn't realize that the
> > > ranges [ ] would break the strings into sub-strings. Now it is more
> > > clear. The solution your colleague proposed worked for me, so thanks
> > again!
> > > I might create a python parser that "clamifies" YARA rules so that they
> > are
> > > compliant with the 2 integral bytes sequence on sub-strings. This will
> > make
> > > it easier to import YARA rules into clamav. If I end up doing that I'll
> > > share the script with the community.
> > >
> > > Thanks,
> > >
> > > Thiago Alves
> > >
> > > On Wed, Feb 24, 2021 at 5:13 PM Micah Snyder (micasnyd) <
> > > micasnyd at cisco.com> wrote:
> > >
> > >> Hi Thiago,
> > >>
> > >> I ran this by one of my teammates more versed in signature creation
> and
> > >> he immediately spotted the issue.  Unlike Yara, ClamAV signatures
> have a
> > >> restriction that subpatterns in a signature pattern must be at least 2
> > >> bytes long. In clamav, signature patterns are split into subpatterns
> > with
> > >> the ranges like the "[1-4]" and "[0-3]" in your example.
> > >>
> > >> My teammate wrote:
> > >>
> > >> > We run into 'Can't find a static subpattern of length 2' when
> writing
> > >> regular ClamAV sigs more often than we'd like, and my understanding is
> > that
> > >> it has to do with how Clam breaks up subsigs when the wildcard groups
> > are
> > >> used... I think it splits the subsig into smaller subsigs, and if
> there
> > >> isn't at least a full two byte sequence on either side of the split
> > subsig
> > >> the sig will fail to load.  A quick fix in this case is to just remove
> > the
> > >> first wildcard capture group in $b, for example:
> > >> >
> > >> > rule TEST
> > >> > {
> > >> >    meta:
> > >> >        description = "Evaluate ClamAV YARA parsing"
> > >> >    strings:
> > >> >        $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> ??
> > >> ?? 75 ?? }
> > >> >        $b1 = { 8a ?4 c1 ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ??
> > ??
> > >> 75 ?? }
> > >> >        $b2 = { 8a ?4 c1 ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> > ??
> > >> ?? 75 ?? }
> > >> >        $b3 = { 8a ?4 c1 ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48
> > ??
> > >> ?? ?? 75 ?? }
> > >> >        $b4 = { 8a ?4 c1 ?? ?? ?? ?? fe ca 88 ?4 08 ?? [0-3] 48 ff c8
> > 48
> > >> ?? ?? ?? 75 ?? }
> > >> >    condition:
> > >> >        filesize < 4MB and any of them
> > >> > }
> > >>
> > >> I hope this helps.
> > >>
> > >> Best regards,
> > >> Micah
> > >>
> > >>
> > >> > -----Original Message-----
> > >> > From: Community-sigs <community-sigs-bounces at lists.clamav.net> On
> > >> > Behalf Of Thiago Alves
> > >> > Sent: Wednesday, February 24, 2021 8:33 AM
> > >> > To: community-sigs at lists.clamav.net
> > >> > Subject: [Community-sigs] ClamAV YARA parsing
> > >> >
> > >> > Hi all,
> > >> >
> > >> > I'm trying to evaluate ClamAV's ability to parse YARA rules
> correctly.
> > >> I've read
> > >> > the limitations on
> > >> https://www.clamav.net/documents/using-yara-rules-in-
> > >> > clamav but still I'm having a hard time understanding why the
> > following
> > >> rule is
> > >> > not being
> > >> > accepted:
> > >> >
> > >> > rule TEST
> > >> > {
> > >> >     meta:
> > >> >         description = "Evaluate ClamAV YARA parsing"
> > >> >     strings:
> > >> >         $a = { 8a f4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> > ??
> > >> ??
> > >> > 75 ?? }
> > >> >         $b = { 8a ?4 c1 [1-4] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ??
> > ??
> > >> ??
> > >> > 75 ?? }
> > >> >     condition:
> > >> >         filesize < 4MB and ($a or $b)
> > >> > }
> > >> >
> > >> > For the rule above, string $a was accepted, while $b was not. This
> is
> > >> the error
> > >> > I'm getting on clamscan:
> > >> >
> > >> > LibClamAV Error: cli_ac_addsig: Can't find a static subpattern of
> > >> length 2
> > >> > LibClamAV Error: cli_parse_add(): Problem adding signature (1).
> > >> > LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
> > >> > LibClamAV Warning: load_oneyara[verify]: recovered from database
> > loading
> > >> > error LibClamAV Warning: load_oneyara[verify]: string failed test
> > >> insertion:
> > >> > $b LibClamAV Warning: load_oneyara: clamav cannot support 1 input
> > >> strings,
> > >> > skipping YARA.TEST
> > >> >
> > >> > Is this a bug or a limitation? I've tested this rule with other YARA
> > >> parsing scans
> > >> > with success, but I rather use ClamAV due to its superior engine.
> > >> >
> > >> >
> > >> > Thanks,
> > >> >
> > >> > Thiago Alves
> > >> > _______________________________________________
> > >> >
> > >> > Community-sigs mailing list
> > >> > Community-sigs at lists.clamav.net
> > >> > https://lists.clamav.net/mailman/listinfo/community-sigs
> > >> >
> > >> > http://www.clamav.net/contact.html#ml
> > >> _______________________________________________
> > >>
> > >> Community-sigs mailing list
> > >> Community-sigs at lists.clamav.net
> > >> https://lists.clamav.net/mailman/listinfo/community-sigs
> > >>
> > >> http://www.clamav.net/contact.html#ml
> > >>
> > >
> > _______________________________________________
> >
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list