Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
G.W. Haywood wrote: Hi Kris, On Thu, 15 Mar 2018, Kris Deugau wrote: I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. ... Would you be able to send me a few samples? Preferably with full headers. I've been able to create logical (.ldb) variant signatures for nearly all of the examples I've had reported thanks to suggestions from Steve Basford, so I can't email them as the message would be blocked by our outgoing AV scan... So I've posted a .zip on my web space with four (small) more or less representative examples of the class. Please note the full set of variations cover, essentially, "long strings of symbols in the
Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
Hi Kris, On Thu, 15 Mar 2018, Kris Deugau wrote: I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. ... Would you be able to send me a few samples? Preferably with full headers. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
Mark Fortescue wrote: Hi I know nothing about YARA but you could try escaping the hash in case it is being treated as a comment line. e.g \#a > 1 The comment metasymbol for Yara rules is "//", but I tried this anyway as a long shot: $ clamscan -d foo.yar LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\' LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error count 1 pretty much as expected. The rule is syntactically correct, otherwise Clam would throw a fit. The ClamAV signature-writing guide makes no mention of this Yara feature being disabled, limited, or otherwise not implemented to match the Yara docs from http://yara.readthedocs.io/en/v3.5.0/; it *does* mention some other specific limits so I would assume this should be working. I don't think this is related to Clam's requirement for two-byte fixed references in patterns in all other pattern-matching signature types, since I have another Yara rule for a series of obfuscated Javascript that uses a similar type of regex pattern. -kgd Regards Mark. On 14/03/18 20:47, Kris Deugau wrote: I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. I've found an issue that is either an implementation limit or a bug in ClamAV's handling of Yara rules. I've narrowed it down to an issue with the "#" condition variant. For a rule like so: rule badstyle { strings: $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/ condition: #a > 1 } and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag the message. (Note, this isn't what I'd use as a live signature!) If I change the condition to "$a" instead, it flags the message, so the expression for $a is valid and correct. Since this particular series of spams will require "#a > 100" (or higher counts) for safety, and none of the other signature types lend themselves very well to this particular type of pattern matching, I'm unable to use just a few signatures as above. Instead I've been using a crude workaround of setting up closing-on-hundreds of very similar logical signatures, or an extended list of 3-6 hex-coded character sequences in a single logical signature. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Limitation or bug in ClamAV's processing of Yara rules?
I'm still chasing signatures for a certain class of (very) oversized spam with malformed HTML. I've found an issue that is either an implementation limit or a bug in ClamAV's handling of Yara rules. I've narrowed it down to an issue with the "#" condition variant. For a rule like so: rule badstyle { strings: $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/ condition: #a > 1 } and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag the message. (Note, this isn't what I'd use as a live signature!) If I change the condition to "$a" instead, it flags the message, so the expression for $a is valid and correct. Since this particular series of spams will require "#a > 100" (or higher counts) for safety, and none of the other signature types lend themselves very well to this particular type of pattern matching, I'm unable to use just a few signatures as above. Instead I've been using a crude workaround of setting up closing-on-hundreds of very similar logical signatures, or an extended list of 3-6 hex-coded character sequences in a single logical signature. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml