I'm still getting the unexpected match under python, after updating to
python 3.8.4 and reinstalling yara-python 4.0.2
For what it's worth
On Wednesday, July 8, 2020 at 10:48:32 AM UTC-4, Wes Hurd wrote:
>
> I think there's some confusion on versions.
> As I mentioned in my original post,
I think there's some confusion on versions.
As I mentioned in my original post, this happened to me running the latest
release of both yara and yara-python, 4.0.2
*/usr/local/Cellar/yara/4.0.2/*
*/usr/local/lib/python3.7/site-packages/yara.cpython-37m-darwin.so
This issue is probably related to this change:
https://github.com/VirusTotal/yara/commit/b7da5d2835cc4cf8a15027da30265addab1a4be5
Old versions of YARA had a weird behaviour when the NOT operator was used
in conjunction with MATCHES or CONTAINS on undefined values. Your old
version of yara-python
I can't replicate this - it does not match on 4.0.2 on my system. There is no
rule parsing bug here - the same C code is used when compiling rules using yara
on the command line or via python. I've had a couple of people tell me
something weird is going on when using pip to install yara-python,
Hi again.
Sorry, I now see you mentioned you're using yara-python 4.0.2 (pip). Well,
I don't know why but pip3 says my 3.10.0 version is up to date. I'm not
that familiar with yara-python (I don't know if it follows yara version
numbers for instance). I couldn't install this 4.0.2 version to
Hi,
I couldn't reproduce it here.
$ cat test_odd_pe_py_match.yara
import "pe"
rule Odd_PE_Entry_Point
{
condition:
uint16(0) == 0x5a4d and
((pe.entry_point >= pe.sections[pe.number_of_sections -
1].raw_data_offset) or (not
Hi,
This is running with the following versions on macOS 10.14.6:
*yara 4.0.2 homebrew*
*yara-python 4.0.2 (pip) *
*Python 3.7.7*
I'm having a really weird case where a rule using pe module is unexpectedly
matching certain files when run under yara-python , but not matching if
running the
