After chasing docs back and forth and trying small variations, I think
I've found what's arguably a bug in Clam's YARA implementation.
These two YARA rules should both match exactly the same, but don't. The
first will only match if the condition is changed to indicate a single
match in some variation (either "#a > 0" or just "$a" both match).
rule data1 {
strings:
$a = /<script type="text\/javascript">functionsendemail.?\(\)\{/
condition:
#a > 3
}
rule data2 {
strings:
$a = { 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a
61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 73 65 6e 64 65
6d 61 69 6c [0-1] 28 29 7b }
condition:
#a > 3
}
While chasing this back and forth I confirmed that simple text string
repetition also works fine. I also confirmed that individual regex
matches on each observed character variation in the sample file also
worked, including when bundled into a single rule with a condition of
"all of them", so it's not that it couldn't match any particular
expected instance of the string.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
