Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
This was on the blog
YARA rules using any of the following features will be flagged in error,
and the respective rules will be disabled:
Single byte YARA string components – currently in the ClamAV matcher, all
strings, as well as components of strings delimited by wild cards, must be
at least two bytes in length
External variables – variables referenced in YARA conditions whose value
may be set using the ‘yara –d’ command line option.
Cheers,
Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity
On 11 August 2016 18:33:49 Axb wrote:
In that post aithor states:
"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."
hmm... now how the heck do we get to happen with ClamAv? :)
.. talking to myself...
On 08/11/2016 07:29 PM, Axb wrote:
Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
On 08/11/2016 07:26 PM, Axb wrote:
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
On 08/11/2016 05:08 PM, Steven Morgan wrote:
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote:
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA
engine?
Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
On 2016-08-11 19:32, Axb wrote: In that post aithor states: "I created some YARA rules that use the external variable „filename“ to work. LOKI and THOR use the „filename“ and other external variables by default." hmm... now how the heck do we get to happen with ClamAv? :) .. talking to myself... +1 try see foxhole rules, imho it can match filenames and sizes, but i wish it was more dokumented also logical signatures in clamav is very simple, just wish it was more dokumented try compiled yara rules with clamav, not source rules, dont know if that makes a diffrence for clamav ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
In that post aithor states:
"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."
hmm... now how the heck do we get to happen with ClamAv? :)
.. talking to myself...
On 08/11/2016 07:29 PM, Axb wrote:
Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
On 08/11/2016 07:26 PM, Axb wrote:
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
On 08/11/2016 05:08 PM, Steven Morgan wrote:
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote:
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA
engine?
Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
On 08/11/2016 07:26 PM, Axb wrote:
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
On 08/11/2016 05:08 PM, Steven Morgan wrote:
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote:
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA
engine?
Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
On 08/11/2016 05:08 PM, Steven Morgan wrote:
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote:
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote:
> Guys,
>
> clamscan --database=test.yar blah.html
> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
> "filename"
> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
> count 1
> test.yar: OK
> blah.html: OK
>
> test.yar
> rule TEST_BLAH_FILENAME
> {
> strings:
> $BLAH = "blah"
> condition:
> $BLAH and filename == "blah.html"
> }
>
> Am I missing something? or is filename unsupported by ClamAV's YARA engine?
>
> Thanks!
> Axb
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
