subject:"\[clamav\-users\] How to know if yara rules are being run\?"

Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Mark Foley

On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau  wrote
>
> Mark Foley wrote:
>
> > So, the question posted below remains:
> >
> > Will the expetr.yara rule, described in this thread, run as is, or not, on
> > Linux?
>
> Any valid signature file will be loaded and used.
>
> Any *invalid* signature file will cause clamd to exit.
>
> If clamd is running, and you've been able to confirm the signature file 
> is being loaded, the signature will be checked.
>
> Signatures are not platform-specific except in terms of what they're 
> intended to match on.
>
> > I'm specifically asking about Eric's comment, "it requires a Win32 
> > executable".
>
> To answer this specific point, one of the signature fragments checks a 
> byte pattern in a certain location to help ensure that it only triggers 
> on files that are Win32 executables.
>
> More generally, to confirm whether a specific signature is doing what 
> it's supposed to, you need to have a file to test with that you know is 
> supposed to match on that signature.
>
> -kgd

Thanks Kris, that answers my question. I somehow incorrectly took from Eric's
comment that the rule would only run on Windows, but I get that the rule is
inspecting the message for a Windows executable.

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Kris Deugau


Mark Foley wrote:


So, the question posted below remains:

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?


Any valid signature file will be loaded and used.

Any *invalid* signature file will cause clamd to exit.

If clamd is running, and you've been able to confirm the signature file 
is being loaded, the signature will be checked.


Signatures are not platform-specific except in terms of what they're 
intended to match on.



I'm specifically asking about Eric's comment, "it requires a Win32 executable".


To answer this specific point, one of the signature fragments checks a 
byte pattern in a certain location to help ensure that it only triggers 
on files that are Win32 executables.


More generally, to confirm whether a specific signature is doing what 
it's supposed to, you need to have a file to test with that you know is 
supposed to match on that signature.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-05 Thread Mark Foley

From: Mark Foley 
Date: Wed, 05 Jul 2017 17:52:03 -0400
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] How to know if yara rules are being run?

I'm following up to my own message.  I've confirmed that my clamav-milter *is*
running yara rules.  I created the following rule:

rule testme
{
strings:
$st1 = "How now brown cow"

condition:
$st1
}

and put it in /var/lib/clamav/testme.yara. I had to make it owned by
clamav.clamav (owned by root failed), and I had to restart clamav-milter.

I sent an email containing the "brown cow" string to a recipient on this host
and clamav-milter caught it: clamav-milter.log:

Wed Jul  5 18:06:46 2017 -> Message v65M6iRh026596 from 
 to  with subject 'test4' message-id 
'<201707052206.v65m6gzc025...@server.novatec-inc.com>' date 'Wed, 05 Jul 2017 
18:06:42 -0400' infected by YARA.testme.UNOFFICIAL

So, the question posted below remains: 

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux? I'm specifically asking about Eric's comment, "it requires a Win32 
executable".

--Mark

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
___
clamav-users mailing list

Re: [clamav-users] How to know if yara rules are being run?

2017-07-05 Thread Mark Foley

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-04 Thread Mark Foley

On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinski  wrote:
> >> 
> > 
> > Yes. I got exactly the same output as you show. Therefore, yara rules are 
> > enabled.
> > 
> > So then, how can I confirm the expetr.yara I created is being run?
> > 
> > ???Mark
>
> Mark,
>
> We are getting off topic for ClamAV list.  I don???t know what rule that they 
> published, and thankfully haven???t had to deal with anything locally.
> My guess would be to open the yara rule and check it out.  You might be able 
> to fake it with a hex editor to test it out, or you can search for sample 
> files and see if they catch them.  With Yara rules though you are usually 
> only getting a small fragment of the infections, and probably a large portion 
> of false positives.  I use them for scanning backup archives personally to 
> find web exploits, and the like, don???t deleted but find when the file was 
> dropped.
>
> Hope this helps,
>
> Eric
>

Eric - you misunderstand my question.  I'm not asking if the yara rule is
working as designed.  I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email.  All I did was put
expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ...  In short, I have no feedback from clamav that it even
notices the presence of this rule.

Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-03 Thread Mark Foley

On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinski  wrote:
> > On Jul 1, 2017, at 1:10 AM, Mark Foley  wrote:
> > 
> > I've put the expetr.yara rule from Kaspersky for the recent notPetya 
> > ransomware
> > in my /var/lib/clamav directory.
> > 
> > How can I tell if clamav is running it? I see nothing in 
> > /var/log/clamav.log.
> > 
> > --Mark
>
>
> My first suggestion would be make sure Yara rules are enabled in clamav.
> So make a couple of files: 
> /*** test.yara ***/
> rule Test_Yara_Rules : test
> {
>   meta:
> description = "Test Yara"
>   strings:
> $test = "YaraTest" fullword ascii
>   condition:
> $test
> }
> /***/
>
> echo YaraTest > test.txt
>
> clamscan -d ./test.yara test.txt
>
> Should show you:
> test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 1
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.007 sec (0 m 0 s)
>

Yes. I got exactly the same output as you show. Therefore, yara rules are 
enabled.

So then, I can I confirm the expetr.yara I created is being run?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-01 Thread Eric Tykwinski

> On Jul 1, 2017, at 1:10 AM, Mark Foley  wrote:
> 
> I've put the expetr.yara rule from Kaspersky for the recent notPetya 
> ransomware
> in my /var/lib/clamav directory.
> 
> I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
> 
> --Mark

My first suggestion would be make sure Yara rules are enabled in clamav.
So make a couple of files: 
/*** test.yara ***/
rule Test_Yara_Rules : test
{
  meta:
description = "Test Yara"
  strings:
$test = "YaraTest" fullword ascii
  condition:
$test
}
/***/

echo YaraTest > test.txt

clamscan -d ./test.yara test.txt

Should show you:
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara 
to enable them.

PS.  Talos guys, I’m loving the new website, a lot of info in there.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to know if yara rules are being run?

2017-06-30 Thread Mark Foley

I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
in my /var/lib/clamav directory.

I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.

--Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

Re: [clamav-users] How to know if yara rules are being run?

[clamav-users] How to know if yara rules are being run?

8 matches

Site Navigation

Mail list logo

Footer information