Re: Yara not scanning all file content

[Fernando Mercês]

You're welcome. That was a good discussion. Thanks for that too.

On Thu, Aug 24, 2023 at 3:28 AM neslihan hanecioglu <
neslihanecio...@gmail.com> wrote:

> Hello,
>
> Thank you very much for taking your time and for your help Sir.
>
> Sincerely.
>
> 24 Ağustos 2023 Perşembe tarihinde saat 02:24:23 UTC+3 itibarıyla
> nan...@gmail.com şunları yazdı:
>
>> Hello!
>>
>> I don't think it is possible to control how much of the file libyara
>> *reads*. You could try fast matching mode, but I believe libyara would
>> still load the whole file to memory before starting matching your rules
>> regardless of how these rules are written.
>>
>> I believe nothing can be faster than reading a smaller buffer, but then
>> you cannot control its size from the rules themselves. See:
>>
>> $ dd if=/dev/zero bs=1GB count=1 of=1gb
>> 1+0 records in
>> 1+0 records out
>> 10 bytes (1.0 GB, 954 MiB) copied, 0.95126 s, 1.1 GB/s
>>
>> $ cat /bin/ls 1gb > bigfile # just to have a match
>>
>> $ cat normal.py
>> import yara
>> import sys
>> rules = yara.compile(source='rule test_elf { strings: $a = "ELF"
>> condition: $a in (0..99) }')
>> matches = rules.match(filepath=sys.argv[1])
>>
>> $ time python normal.py bigfile
>> real0m1.532s
>> user0m1.512s
>> sys 0m0.020s
>>
>> $ cat fast.py
>> import yara
>> import sys
>> rules = yara.compile(source='rule test_elf { strings: $a = "ELF"
>> condition: $a in (0..99) }')
>> matches = rules.match(filepath=sys.argv[1], fast=True)
>>
>> $ time python fast.py bigfile
>> real0m1.052s
>> user0m1.032s
>> sys 0m0.020s
>>
>> $ cat read100.py
>> import yara
>> import sys
>> rules = yara.compile(source='rule test_elf { strings: $a = "ELF"
>> condition: $a in (0..99) }')
>> with open(sys.argv[1], 'rb') as f:
>> matches = rules.match(data=f.read(100))
>>
>> $ time python read100.py bigfile
>> real0m0.012s
>> user0m0.012s
>> sys 0m0.000s
>>
>> I'm not a YARA developer, but I think this happens because
>> reading/mapping a file to memory and matching it against rules are two
>> separate steps. Think programatically: to implement what you want, the devs
>> would have to first examine the rules to see if there's one or more
>> conditions limiting the amount of bytes that should be matched. So, a
>> condition such as "$a in (0..99)" should cause libyara to read only 100
>> bytes from the file. However, if this condition is "$a in (0..99) or $b",
>> then libyara should read the whole file, because $b can be anywhere. It'd
>> be a complex process. I don't know if you can do this without patching
>> libyara, sorry. Maybe a dev could help here.
>>
>> Thanks,
>> Fernando
>>
>> On Wed, Aug 23, 2023 at 3:18 AM neslihan hanecioglu 
>> wrote:
>>
>>> Hello,
>>>
>>> Thank you Sir for your help. But I want to give file to yara in python
>>> for speed. Because yara extracts the content of file and examines the file
>>> very fast. I searched this problem in python, unfortunately can not find
>>> anything. For example I used the following rule but yara still reads full
>>> file.
>>>
>>> rule SearchRegexdInPartOfAFile {
>>> strings:
>>> $a =
>>> /([1-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])/
>>>
>>> condition:
>>> $a in (0..100)
>>> }
>>>
>>> As I explained, I want to search "a" in first 100 bytes in the file. If
>>> "a" finds return the match result. Otherwise stops examination the file. It
>>> is more important speed for me. I guess, I can not do it with python script
>>> in no way.
>>> 22 Ağustos 2023 Salı tarihinde saat 22:52:48 UTC+3 itibarıyla
>>> nan...@gmail.com şunları yazdı:
>>>
 Hello, have a look at the -z switch in yara command manual (*man yara*
 or here ).

 If you want to do this programmatically, you can just read the first
 200KB of the file before passing it to libyara. ;)

 Best,


 On Tue, Aug 22, 2023 at 9:34 AM neslihan hanecioglu <
 nesliha...@gmail.com> wrote:

> Hi,
>
> During the file scanning, I do not want to examine after a certain
> size. For example, for a 100 mb file, I want to scan the first 200 kb and
> get its match result, Not scanning after 200kb. Wow can i achieve this 
> with
> yara rule or python script. I wan to give full file to Yara and Yara not
> read full text as I explained the above. It is important for speed.
>
> Thank you for response.
> Sincerely.
>
> --
> You received this message because you are subscribed to the Google
> Groups "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to yara-project...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/c016a513-da34-4b25-88b6-f8b3367395e5n%40googlegroups.com
> 

Re: Yara not scanning all file content

[Fernando Mercês]

Hello!

I don't think it is possible to control how much of the file libyara *reads*.
You could try fast matching mode, but I believe libyara would still load
the whole file to memory before starting matching your rules regardless of
how these rules are written.

I believe nothing can be faster than reading a smaller buffer, but then you
cannot control its size from the rules themselves. See:

$ dd if=/dev/zero bs=1GB count=1 of=1gb
1+0 records in
1+0 records out
10 bytes (1.0 GB, 954 MiB) copied, 0.95126 s, 1.1 GB/s

$ cat /bin/ls 1gb > bigfile # just to have a match

$ cat normal.py
import yara
import sys
rules = yara.compile(source='rule test_elf { strings: $a = "ELF" condition:
$a in (0..99) }')
matches = rules.match(filepath=sys.argv[1])

$ time python normal.py bigfile
real0m1.532s
user0m1.512s
sys 0m0.020s

$ cat fast.py
import yara
import sys
rules = yara.compile(source='rule test_elf { strings: $a = "ELF" condition:
$a in (0..99) }')
matches = rules.match(filepath=sys.argv[1], fast=True)

$ time python fast.py bigfile
real0m1.052s
user0m1.032s
sys 0m0.020s

$ cat read100.py
import yara
import sys
rules = yara.compile(source='rule test_elf { strings: $a = "ELF" condition:
$a in (0..99) }')
with open(sys.argv[1], 'rb') as f:
matches = rules.match(data=f.read(100))

$ time python read100.py bigfile
real0m0.012s
user0m0.012s
sys 0m0.000s

I'm not a YARA developer, but I think this happens because reading/mapping
a file to memory and matching it against rules are two separate steps.
Think programatically: to implement what you want, the devs would have to
first examine the rules to see if there's one or more conditions limiting
the amount of bytes that should be matched. So, a condition such as "$a in
(0..99)" should cause libyara to read only 100 bytes from the file.
However, if this condition is "$a in (0..99) or $b", then libyara should
read the whole file, because $b can be anywhere. It'd be a complex process.
I don't know if you can do this without patching libyara, sorry. Maybe a
dev could help here.

Thanks,
Fernando

On Wed, Aug 23, 2023 at 3:18 AM neslihan hanecioglu <
neslihanecio...@gmail.com> wrote:

> Hello,
>
> Thank you Sir for your help. But I want to give file to yara in python for
> speed. Because yara extracts the content of file and examines the file very
> fast. I searched this problem in python, unfortunately can not find
> anything. For example I used the following rule but yara still reads full
> file.
>
> rule SearchRegexdInPartOfAFile {
> strings:
> $a =
> /([1-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])/
>
> condition:
> $a in (0..100)
> }
>
> As I explained, I want to search "a" in first 100 bytes in the file. If
> "a" finds return the match result. Otherwise stops examination the file. It
> is more important speed for me. I guess, I can not do it with python script
> in no way.
> 22 Ağustos 2023 Salı tarihinde saat 22:52:48 UTC+3 itibarıyla
> nan...@gmail.com şunları yazdı:
>
>> Hello, have a look at the -z switch in yara command manual (*man yara*
>> or here ).
>>
>> If you want to do this programmatically, you can just read the first
>> 200KB of the file before passing it to libyara. ;)
>>
>> Best,
>>
>>
>> On Tue, Aug 22, 2023 at 9:34 AM neslihan hanecioglu 
>> wrote:
>>
>>> Hi,
>>>
>>> During the file scanning, I do not want to examine after a certain size.
>>> For example, for a 100 mb file, I want to scan the first 200 kb and get its
>>> match result, Not scanning after 200kb. Wow can i achieve this with yara
>>> rule or python script. I wan to give full file to Yara and Yara not read
>>> full text as I explained the above. It is important for speed.
>>>
>>> Thank you for response.
>>> Sincerely.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "YARA" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to yara-project...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/yara-project/c016a513-da34-4b25-88b6-f8b3367395e5n%40googlegroups.com
>>> 
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/e848f8e5-0974-455d-9f8c-3621fce24674n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" 

Re: Yara not scanning all file content

[Fernando Mercês]

Hello, have a look at the -z switch in yara command manual (*man yara* or
here ).

If you want to do this programmatically, you can just read the first 200KB
of the file before passing it to libyara. ;)

Best,


On Tue, Aug 22, 2023 at 9:34 AM neslihan hanecioglu <
neslihanecio...@gmail.com> wrote:

> Hi,
>
> During the file scanning, I do not want to examine after a certain size.
> For example, for a 100 mb file, I want to scan the first 200 kb and get its
> match result, Not scanning after 200kb. Wow can i achieve this with yara
> rule or python script. I wan to give full file to Yara and Yara not read
> full text as I explained the above. It is important for speed.
>
> Thank you for response.
> Sincerely.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/c016a513-da34-4b25-88b6-f8b3367395e5n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17NeeTzTL7hFG3m_zQZ3j0a5N7vt5xD-cZ6sE6KjW6t3%2Bw%40mail.gmail.com.

Re: Yara for executable

[Fernando Mercês]

Hello.

Do you mean Windows executables? If so, there's a PE module you should use.
A sample rule is as follows:

import "pe"

rule exe {
   condition:
  pe.is_pe
  and not (pe.characteristics & pe.DLL)
  and pe.subsystem != pe.SUBSYSTEM_NATIVE
}

The above rule matches executables (.exe) only. The second condition
prevents the rule from matching DLLs (.dll) and the third condition
prevents it from matching Windows drivers (.sys). Feel free to change it to
meet your needs. ;)

Please, check the module documentation for other possible conditions [1].

When you are happy with your rule, you can use the -r / --recursive option
from the command-line with yara [2].

Good luck!

[1] https://yara.readthedocs.io/en/latest/modules/pe.html
[2] https://yara.readthedocs.io/en/latest/commandline.html


On Wed, Oct 26, 2022 at 11:08 PM SJGG  wrote:

> Any solution or help on this ask?
>
> On Tuesday, 28 June 2022 at 00:39:58 UTC-4 muhammadz...@gmail.com wrote:
>
>> I want to write yara rule to detect only executable files in any drive,
>> can any one help  me out
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/20f17ce5-9f57-4cfb-ac5f-1948378380d9n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17Oa8dNUeEKnqq%3DBX1bHjWBvGv_kbenp3%3DdkXLM-O8UdFQ%40mail.gmail.com.

Re: Using YARA in .NET WinForms (C#)

[Fernando Mercês]

Hello!

Apparently, there are a few wrappers for libyara in .NET. I've never used
them, but if you search for "yara .net library", results include
https://github.com/microsoft/libyara.NET and
https://www.nuget.org/packages/dnYara

Thanks,
Fernando

On Sun, Oct 9, 2022 at 10:33 AM Z_SnakeSilent Area 51 <
asskickerlma...@gmail.com> wrote:

> Hello, i want to use yara in a c# project with the rules and conditions of
> a yar file
>
> how i can do it?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/79bccd31-ca76-4eae-802c-5ef6a6d617ddn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17PugH0iuR7pdTNdPa2u5dPHHOk%2BRAQgCkXPP7BLngxoCg%40mail.gmail.com.

Re: Malware Detection using Fuzzy Yara Rules

[Fernando Mercês]

Hi Ryan,

I found your message a bit confusing. You started talking about malware 
(samples), then you mentioned you created a web app to detect malicious URLs. 
And then you say you’re lost, but what exactly are you targeting? I don’t think 
Yara is that binary. Some thoughts:


  *   The sensitivity of a Yara rule can be lowered to simulate what a fuzzy 
approach would be. For example, instead of “all of them” you can have 
conditions like “2 of them” or “any of them”. So, a system may have different 
rulesets more or less aggressive, depending on what you want.
  *   AFAIK Virus Total API is limited to 4 requests per minute if you are not 
paid user. This can create a bottleneck in your system. Actually, why do you 
need Virus Total in this case?
  *   Yara has support for ssdeep, which is a fuzzy hash algorithm. Also, it 
can be extended to include TLSH [2] and telfhash [3] for instance. Or any other 
fuzzy, or locally sensitive hash you want. You just have to create a module and 
that would be a great contribution to Yara. 

Hope that helps and sorry if I didn’t really answer your question.

[1] https://ssdeep-project.github.io/ssdeep/index.html
[2] https://github.com/trendmicro/tlsh
[3] https://github.com/trendmicro/telfhash

Thanks,
Fernando


From: yara-project@googlegroups.com  on behalf 
of Ryan Choy 
Date: Monday, 15 February 2021 21:15
To: YARA 
Subject: Malware Detection using Fuzzy Yara Rules

I am currently doing a dissertation/project and below is the description of the 
project

Yara rules are one of the most popular and widely used methods for malware 
detection. Yara rules basically describe patterns that identify particular 
strains or entire families of malware. Its success or failure is dependent on 
the quality of rules employed for malware triaging. Yara rules define 
everything in binary logic, either true or false, which may lead to inaccuracy 
in malware detection. Fuzzy inference systems use fuzzy rules to reason, where 
fuzzy rules extend the traditional binary logic to infinite valued logic, which 
therefore can be used to address the drawbacks of Yara rules. This project aims 
to develop a prototype fuzzy Yara rule system for malware detection using 
publicly available datasets. (python)

What i did so far is creating a web application built using django to detect 
malicious URL(s) which include phishing/social engineering/malware infected 
URL(s) (I could just focus on maybe ransomeware) as I have only done the web 
user interface only and for the malware database I planned to get from github 
and will be using VirusTotal API. I am really lost right now :(

Anyone could just guide me just the brief of what to do  will be good enough as 
the implementation is the hardest for me
--
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/77a039e6-e5b8-4085-b5e2-360c94f0033an%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/DM6PR10MB3900FD30A44DC0BAC8D11A6AA6859%40DM6PR10MB3900.namprd10.prod.outlook.com.

Re: PE rule matches when run under yara-python but not in yara ??!

[Fernando Mercês]

Hi again.

Sorry, I now see you mentioned you're using yara-python 4.0.2 (pip). Well,
I don't know why but pip3 says my 3.10.0 version is up to date. I'm not
that familiar with yara-python (I don't know if it follows yara version
numbers for instance). I couldn't install this 4.0.2 version to test. :(

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Tue, Jul 7, 2020 at 5:37 PM Fernando Mercês  wrote:

> Hi,
>
> I couldn't reproduce it here.
>
> $ cat test_odd_pe_py_match.yara
> import "pe"
>
> rule Odd_PE_Entry_Point
> {
> condition:
> uint16(0) == 0x5a4d and
> ((pe.entry_point >= pe.sections[pe.number_of_sections -
> 1].raw_data_offset) or (not
> pe.sections[pe.section_index(pe.entry_point)].name contains ".text"))
> }
>
> $ yara -v
> 4.0.2
>
> $ yara test_odd_pe_py_match.yara
> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8
>
> $ python3
> Python 3.7.8 (default, Jul  4 2020, 10:17:17)
> [Clang 11.0.3 (clang-1103.0.32.62)] on darwin
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import yara
> >>> scan = yara.compile("./test_odd_pe_py_match.yara")
> >>>
> scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8")
> []
> >>> yara.__version__
> '3.10.0'
>
> What's the yara-python version you're using?
>
> Att,
>
> Fernando Mercês <https://twitter.com/mer0x36> | menteb.in
>
>
> On Tue, Jul 7, 2020 at 3:10 PM Wes Hurd <13hu...@gmail.com> wrote:
>
>> Hi,
>>
>> This is running with the following versions on macOS 10.14.6:
>>
>> *yara 4.0.2 homebrew*
>>
>>
>> *yara-python 4.0.2 (pip) *
>> *Python 3.7.7*
>>
>> I'm having a really weird case where a rule using pe module is
>> unexpectedly matching certain files when run under yara-python , but not
>> matching if running the yara binary directly.
>>
>> Running on this PE file:
>> https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details
>>
>> "test_odd_pe_py_match.yara":
>> rule Odd_PE_Entry_Point
>> {
>> condition:
>> uint16(0) == 0x5a4d and
>> ((pe.entry_point >= pe.sections[pe.number_of_sections - 1].
>> raw_data_offset) or (not pe.sections[pe.section_index(pe.entry_point)].name
>> contains ".text"))
>> }
>>
>>
>>
>> Python :
>> import yara
>> #print(yara.__version__)
>>
>> try:
>> scan = yara.compile("./test_odd_pe_py_match.yara")
>> except yara.Error as e:
>> print("YARA compile error:", e)
>>
>> matches = scan.match(filepath=
>> "154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe")
>> print(matches)
>>
>> [Odd_PE_Entry_Point]
>>
>>
>>
>> yara bin:
>> $ yara test_odd_pe_py_match.yara
>> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe
>>
>> $
>> No matches
>>
>>
>> Can someone tell what's going on here ?
>> It seems to me there is some sort of either rule parsing bug under
>> python, or race condition that causes the python run to match when the
>> binary doesn't.
>>
>> Thanks,
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to yara-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com
>> <https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17OEu1P9sfdbOKYfCMhFkaFajTE6Jfns9U%3DGJhLHcggROg%40mail.gmail.com.

Re: PE rule matches when run under yara-python but not in yara ??!

[Fernando Mercês]

Hi,

I couldn't reproduce it here.

$ cat test_odd_pe_py_match.yara
import "pe"

rule Odd_PE_Entry_Point
{
condition:
uint16(0) == 0x5a4d and
((pe.entry_point >= pe.sections[pe.number_of_sections -
1].raw_data_offset) or (not
pe.sections[pe.section_index(pe.entry_point)].name contains ".text"))
}

$ yara -v
4.0.2

$ yara test_odd_pe_py_match.yara
154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8

$ python3
Python 3.7.8 (default, Jul  4 2020, 10:17:17)
[Clang 11.0.3 (clang-1103.0.32.62)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> scan = yara.compile("./test_odd_pe_py_match.yara")
>>>
scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8")
[]
>>> yara.__version__
'3.10.0'

What's the yara-python version you're using?

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Tue, Jul 7, 2020 at 3:10 PM Wes Hurd <13hu...@gmail.com> wrote:

> Hi,
>
> This is running with the following versions on macOS 10.14.6:
>
> *yara 4.0.2 homebrew*
>
>
> *yara-python 4.0.2 (pip) *
> *Python 3.7.7*
>
> I'm having a really weird case where a rule using pe module is
> unexpectedly matching certain files when run under yara-python , but not
> matching if running the yara binary directly.
>
> Running on this PE file:
> https://www.virustotal.com/gui/file/154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8/details
>
> "test_odd_pe_py_match.yara":
> rule Odd_PE_Entry_Point
> {
> condition:
> uint16(0) == 0x5a4d and
> ((pe.entry_point >= pe.sections[pe.number_of_sections - 1].
> raw_data_offset) or (not pe.sections[pe.section_index(pe.entry_point)].name
> contains ".text"))
> }
>
>
>
> Python :
> import yara
> #print(yara.__version__)
>
> try:
> scan = yara.compile("./test_odd_pe_py_match.yara")
> except yara.Error as e:
> print("YARA compile error:", e)
>
> matches = scan.match(filepath=
> "154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe")
> print(matches)
>
> [Odd_PE_Entry_Point]
>
>
>
> yara bin:
> $ yara test_odd_pe_py_match.yara
> 154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8.exe
>
> $
> No matches
>
>
> Can someone tell what's going on here ?
> It seems to me there is some sort of either rule parsing bug under python,
> or race condition that causes the python run to match when the binary
> doesn't.
>
> Thanks,
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/48c4b198-182b-4f28-aecd-90db120ef1c8o%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17N%3DczeTZnETbR3rmWsnyJ43yHg4Bmd_rRWBgq%2Bf4qdPMQ%40mail.gmail.com.

Re: Yara error: includes depth exceeded

[Fernando Mercês]

Hi!

The rule looks fine, except that there is another rule under "condition"
that is not shown (APT1_payloads). Apparently, your problem is related to
the number of nested "include" directives [1], which is currently set to 16
in Yara source code [2]. Maybe it's the way Cortex works I don't know but
I'd look at the rules and/or Cortex source code to make sure. ;-)

If you want to replicate the error, just try to use more than 16 "include"
directive with yara:

$ for i in {1..16}; do echo "include \"$(($i+1)).yar\"" > $i.yar; done
$ >17.yar
$ yara 1.yar 1.yar
16.yar(1): error: includes depth exceeded

Hope that helps.

[1] https://yara.readthedocs.io/en/latest/writingrules.html#including-files
[2]
https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/limits.h#L107

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Sat, Feb 29, 2020 at 7:17 AM Ed Qartah  wrote:

> Hi,
>
> I'm using Yara with Cortex. I'm not able to understand the reason behind
> this error. includes depth exceeded
>
> Invalid output
> Traceback (most recent call last):
>   File "Yara/yara_analyzer.py", line 71, in 
> YaraAnalyzer().run()
>   File "Yara/yara_analyzer.py", line 23, in __init__
> self.ruleset.append(yara.compile(rulepath))
> yara.SyntaxError: 
> /opt/Cortex-Analyzers/analyzers/Yara/rules/research/APT1_aspnetreport.yar(1480):
>  includes depth exceeded
>
>
>
> rule APT1_aspnetreport
>
> {
>
> meta:
>
> author = "AlienVault Labs"
>
> info = "CommentCrew-threat-apt1"
>
>
> strings:
>
> $url = "aspnet_client/report.asp" wide ascii
>
> $param = "name=%s=%c=%04d=%s" wide ascii
>
> condition:
>
> $url and $param and APT1_payloads
>
> }
>
>
> Any help is appreciated.
>
> Ayed
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/dbe9083b-f683-4c53-baf9-21949703b4f7%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/dbe9083b-f683-4c53-baf9-21949703b4f7%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17M8kLWT7_hgvtvNYR8NXmK8QmvNJAUhn1xD2uA9PY-vkw%40mail.gmail.com.

Re: Exact string match

[Fernando Mercês]

Hello.

Check if if helps
https://yara.readthedocs.io/en/latest/writingrules.html#searching-for-full-words
;-)

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Tue, Dec 24, 2019 at 4:21 AM Nibin V M  wrote:

> Hello,
>
> Is it possible to write rules for exact string match? That is, I want to
> detect string "fish" but not "fishing".
>
> Thanks in advance.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/98cf09f1-7453-4a7d-9729-8aa97dde8156%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/98cf09f1-7453-4a7d-9729-8aa97dde8156%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17MsmNnSmGVq5OY7M%3DZ%3DWjZNMb_vGFANn%2BXEmkUX8dX8_Q%40mail.gmail.com.

Re: I am very new to Yara and let me know which IDE is best for YARA rules

[Fernando Mercês]

I like to use Visual Studio code with the YARA extension to highlight the
ruleset files (I use .yar). :)

Name: YARA
Id: infosec-intern.yara
Description: Rich language support for the YARA pattern matching language
Version: 1.3.5
Publisher: infosec-intern
VS Marketplace Link:
https://marketplace.visualstudio.com/items?itemName=infosec-intern.yara

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Mon, Jul 22, 2019 at 6:35 AM safeer muhammed 
wrote:

> I am very new to Yara and let me know which IDE is best for YARA rules
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/369f2c26-01fa-4bb8-9cd8-0716597fc988%40googlegroups.com
> <https://groups.google.com/d/msgid/yara-project/369f2c26-01fa-4bb8-9cd8-0716597fc988%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17MzZfy4LnjiCjzqraobhpZjgyEygga%2BOzjxOr7MZjGdNg%40mail.gmail.com.

Re: Yara Regex on matching any URL

[Fernando Mercês]

By the way, there is an open pull request to add a "URL module" do Yara:
https://github.com/VirusTotal/yara/pull/1085

Not sure how it'll end up though. :)

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Wed, Jul 3, 2019 at 12:42 PM John Davison 
wrote:

> Hey Matt,
>
> Probably because of your beginning and end of line markers you have it
> wrapped in. I forget how yara handles that but I'm pretty sure that's not
> what you want there.
>
> Also, fwiw, I've written and use email scanning/detection tools at
> $dayjob, and I can tell you that almost every single email has a link
> inside of it of some kind.
>
> Good luck!
>
> - John Davison
>
> On Tue, Jul 2, 2019 at 4:11 PM Matt Oney  wrote:
>
>> I'm new to yara rules and we just got them activated on the FireEye
>> ETP... I 've read enough to start playing around and testing.
>>
>> I just want the yara rule to fire(monitor mode) if a user receives a url
>> within the email...
>>
>> I have a good match -
>> https://regex101.com/r/L20l2w/1/
>>
>> I wrote the rule like such...
>> /*
>> This Yara ruleset is under the GNU-GPLv2 license (
>> http://www.gnu.org/licenses/gpl-2.0.html) and
>> open to any user or organization, as long as you use it under this
>> license.
>> */
>>
>>
>> rule with_urls : mail {
>>  meta:
>>  author = "Antonio Sanchez "
>>  reference = "http://laboratorio.blogs.hispasec.com/;
>>  description = "Rule to detect the presence of an or several urls"
>>  strings:
>>
>>
>>  $url_regex =
>> /^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/
>>
>>
>>  condition:
>>  any of them
>> }
>>
>> but I can't get it to fire on a simple email with this in the body
>>
>> http://youtube.com
>>
>> *the other thing is FIreEye ETP makes you pick Header Body  or Attachment
>> (I've tried it on all 3)
>>
>> *there is even more complicated regex url's that seem to match everything
>> and these are HUGE -
>> https://gist.github.com/gruber/8891611
>>
>> I'd definitely appreciate any thoughts to point me in the right
>> direction... thanks!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to yara-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com
>> <https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> John W. Davison
> unixfreak0...@gmail.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/yara-project/CANTOGZuXZwG1FGvs3MWFO5obzpmEyd%3Dx3Vif9Y7GncoKoxT0CA%40mail.gmail.com
> <https://groups.google.com/d/msgid/yara-project/CANTOGZuXZwG1FGvs3MWFO5obzpmEyd%3Dx3Vif9Y7GncoKoxT0CA%40mail.gmail.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/CAM7p17ME33gW0n4h0Twp%2B2OC3g9x6mNEFAm-9SrJSCpVGJzpkQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: creating yara rules in windows

[Fernando Mercês]

Hi,

There's a Python program from Florian Roth:
https://github.com/Neo23x0/yarGen

You can also try the x64dbg plugin: https://github.com/mrexodia/YaraGen

I'm not aware of any others. One small tip when manually creating Yara
rules is using Visual Studio Code, as it has a nice syntax highlighting for
.yar files. 

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Thu, Oct 25, 2018 at 8:26 PM  wrote:

>
>
> just need a program to create signatures  that works in windows
>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Adding total number of occurrences of multiple strings

[Fernando Mercês]

Hi Raghvendra,

#str1 + #str2 + #str3 > 20 should work, no?

Hope that helps.

Att,

Fernando Mercês <https://twitter.com/mer0x36> | menteb.in


On Thu, Sep 20, 2018 at 3:48 PM raghvendra mishra 
wrote:

> Hi,
> I am trying to do a heuristic based detection of malware samples using
> YARA and got stuck when i need to add up total number of occurrences of set
> of strings to detect the sample,
> For example, say i have a rule like this,
>
> *rule Malware_Detection : file*
> *{*
> *meta:*
> *author = "Raghvendra"*
> *version = "0.1"*
> *description = "Detecting malwares using heuristics"*
> *strings:*
>
> *$str1= "alice" nocase*
> *$str2="bob" nocase*
> *$str3="intruder" nocase*
> *condition:*
> *   need to write*
> *}*
> what i am trying to achieve is, if the total number of occurrences of any
> or combination of strings is greater than 20 then yara engine should
> trigger. So, in sample $str1 could get match 20 times so yara should
> trigger, in sample $str1(15 times) and $str2(5 times) could get match so
> yara should trigger etc. The combination of string matching could be
> anything but it should be equal to 20.
> Is there anyway to implement it in yara?
>
> Thanks,
> --Raghvendra
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

[Fernando Mercês]

Yes. And you'd have to scape the dollar signs too. Or you could just use
single quotes around the whole thing:

echo 'rule a { strings: $h = "arnav" condition: $h }' > a




Att,

@MercesFernando
mentebinaria.com.br 
---

On Sun, Mar 18, 2018 at 9:26 PM, Wesley Shields  wrote:

> The inner quotes are not escaped.
>
> — WXS
>
> On Sun, Mar 18, 2018 at 8:24 PM  wrote:
>
>> Hi
>>
>> I ran this rule while learning:
>> echo "rule a { strings: $h = "arnav" condition: $h } > a
>>
>> but when I run
>> yara a a
>>
>> it gives me this error:
>> error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_
>>
>> I can't figure out what's wrong.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to yara-project+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Emrging YARA with AV

[Fernando Mercês]

Hi Ahmed,

Yara is not supposed to replace AV. You may want to have a look at this
project: https://github.com/godaddy/procfilter

Att,

@MercesFernando
mentebinaria.com.br 
---

On Thu, Nov 2, 2017 at 1:20 PM, Ahmed Neil  wrote:

> Hello Hunters
>
> I would like to know how to emerge YARA rule I create to an AV and use it
> to scan binaries.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Rule Name question

[Fernando Mercês]

I guess you are trying to match a rule within another rule, right? If so,
you just need to use its name under "condition":

rule rule_a
{
   strings:
  $a = "a"
   condition:
  $a
}

rule rule_ab
{
   strings:
  $b = "b"
   condition:
  rule_a and $b
}

You may want to set your "a" rule as private too:
https://yara.readthedocs.io/en/v3.4.0/writingrules.html#private-rules

Thanks.


Att,

Fernando Mercês
mentebinaria.com.br <http://www.mentebinaria.com.br>
---

On Thu, Apr 28, 2016 at 8:04 AM, Jim Kelly <macubergeeks...@gmail.com>
wrote:

> I have a rule that starts with:
>
> rule Accept: This function is used to listen for incoming connections.
> This function indicates that the program will listen for incoming
> connections on a socket. It is mostly used by malware to communicate with
> their Command and Communication server.
> {
> strings:
> $a = "Accept"
> condition:
> any of them
> }
>
> please refer to the line that starts with rule
> can I use the line above or do I have to do
>
> rule Accept
>
> /*
> This function is used to listen for incoming connections. This function
> indicates that the program will listen for incoming connections on a
> socket. It is mostly used by malware to communicate with their Command and
> Communication server.
>
> */
> {
> strings:
> $a = "Accept"
> condition:
> any of them
> }
>
> I was hoping I could get yara to report out the entire line with
> explanation when hit hit a match.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: line number

[Fernando Mercês]

Hi Cody,

Are you using Yara to match rules on text files?


Att,

Fernando Mercês
mentebinaria.com.br <http://www.mentebinaria.com.br>
---

On Sat, Feb 20, 2016 at 5:59 PM, Cody West <codythet...@gmail.com> wrote:

> Sorry if this has already been asked. I've searched through group and
> haven't found anything.
>
> Is there an easy way to get a line number of the matching string instead
> of the character offset? I'm working with yara-python.
>
> Thanks,
> Cody West
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.