Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
G.W. Haywood wrote: Hi Kris, On Thu, 15 Mar 2018, Kris Deugau wrote: I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. ... Would you be able to send me a few samples? Preferably with full headers. I've been able to create logical (.ldb) variant signatures for nearly all of the examples I've had reported thanks to suggestions from Steve Basford, so I can't email them as the message would be blocked by our outgoing AV scan... So I've posted a .zip on my web space with four (small) more or less representative examples of the class. Please note the full set of variations cover, essentially, "long strings of symbols in the
Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
Hi Kris, On Thu, 15 Mar 2018, Kris Deugau wrote: I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. ... Would you be able to send me a few samples? Preferably with full headers. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
Mark Fortescue wrote:
Hi
I know nothing about YARA but you could try escaping the hash in case it
is being treated as a comment line.
e.g \#a > 1
The comment metasymbol for Yara rules is "//", but I tried this anyway
as a long shot:
$ clamscan -d foo.yar
LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\'
LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error
count 1
pretty much as expected.
The rule is syntactically correct, otherwise Clam would throw a fit.
The ClamAV signature-writing guide makes no mention of this Yara feature
being disabled, limited, or otherwise not implemented to match the Yara
docs from http://yara.readthedocs.io/en/v3.5.0/; it *does* mention some
other specific limits so I would assume this should be working.
I don't think this is related to Clam's requirement for two-byte fixed
references in patterns in all other pattern-matching signature types,
since I have another Yara rule for a series of obfuscated Javascript
that uses a similar type of regex pattern.
-kgd
Regards
Mark.
On 14/03/18 20:47, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule badstyle {
strings:
$a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
condition:
#a > 1
}
and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message. (Note, this isn't what I'd use as a live signature!)
If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.
Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above. Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.
-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule badstyle {
strings:
$a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
condition:
#a > 1
}
and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message. (Note, this isn't what I'd use as a live signature!)
If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.
Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above. Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.
-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
