Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

From: Mark Foley 
Date: Wed, 05 Jul 2017 17:52:03 -0400
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] How to know if yara rules are being run?

I'm following up to my own message.  I've confirmed that my clamav-milter *is*
running yara rules.  I created the following rule:

rule testme
{
strings:
$st1 = "How now brown cow"

condition:
$st1
}

and put it in /var/lib/clamav/testme.yara. I had to make it owned by
clamav.clamav (owned by root failed), and I had to restart clamav-milter.

I sent an email containing the "brown cow" string to a recipient on this host
and clamav-milter caught it: clamav-milter.log:

Wed Jul  5 18:06:46 2017 -> Message v65M6iRh026596 from 
 to  with subject 'test4' message-id 
'<201707052206.v65m6gzc025...@server.novatec-inc.com>' date 'Wed, 05 Jul 2017 
18:06:42 -0400' infected by YARA.testme.UNOFFICIAL

So, the question posted below remains: 

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux? I'm specifically asking about Eric's comment, "it requires a Win32 
executable".

--Mark

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
___
clamav-users mailing list

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml