From: Mark Foley
Date: Wed, 05 Jul 2017 17:52:03 -0400
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] How to know if yara rules are being run?
I'm following up to my own message. I've confirmed that my clamav-milter *is*
running yara rules. I created the following rule:
rule testme
{
strings:
$st1 = "How now brown cow"
condition:
$st1
}
and put it in /var/lib/clamav/testme.yara. I had to make it owned by
clamav.clamav (owned by root failed), and I had to restart clamav-milter.
I sent an email containing the "brown cow" string to a recipient on this host
and clamav-milter caught it: clamav-milter.log:
Wed Jul 5 18:06:46 2017 -> Message v65M6iRh026596 from
to with subject 'test4' message-id
'<201707052206.v65m6gzc025...@server.novatec-inc.com>' date 'Wed, 05 Jul 2017
18:06:42 -0400' infected by YARA.testme.UNOFFICIAL
So, the question posted below remains:
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux? I'm specifically asking about Eric's comment, "it requires a Win32
executable".
--Mark
On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote
> > Eric - you misunderstand my question. I'm not asking if the yara rule is
> > working as designed. I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email. All I did was put
> > expetr.yara in /var/lib/clamav. That's it. I don't know if that's
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the
> > file
> > permissions should be ... In short, I have no feedback from clamav that it
> > even
> > notices the presence of this rule.
> >
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> >
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file.
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected.
> Possible values are Off (the default - nothing is logged), Basic (minimal
> info logged), Full (verbose info logged)
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr,
> rcpt_addr and i macroes are available in eom. In other words add a line like:
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file.
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id},
> {mail_addr}, {rcpt_addr}, i')
> Postfix should be working fine with the default settings.
> Default: disabled
>
Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.
My LogInfected is set to Full
I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.
> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no
All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)
> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them
Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.
> So you could use something like PAR::Packer and try to compile a quick PERL
> script, but I would just put in a test yara rule like I email previously and
> send yourself an email. It should show up in the log file, and you???ll be
> sure it???s working.
>
> Eric
Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule. I sent the message, but
nothing was detected. Although, not being versed in yara, I may need more
conditions set than that.
BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.
What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?
Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.
So, will this rule run as is, or not, on Linux? Do I have to do something?
Thanks, Mark
___
clamav-users mailing list