Mailing List Archive

Yara language version, ClamAV documentation.
Hi there,

The documentation on ClamAV's implementation of Yara points to

http://plusvic.github.io/yara/

which describes several important differences between the different
versions of what might be called the reference Yara engine. When we
write Yara rules, it's obviously important to know which features of
the Yara language are supported by ClamAV and which are not.

I'm not sure if the 'word boundary' atoms (\b, \B) are supported or
not - I don't even know how to find out, except perhaps at the risk of
crashing clamd. I *think* I managed to do that with bad Yara rule. :(
Although it wasn't one which used \b or \B, that promted this message.

AFAICT the ClamAV Yara implementation hasn't changed a great deal
since it was first released - meaning that we will be working with
approximately Yara version 2.1.0. That's based on this quote from
.../libclamav/yara_clam.h, which is present in the ClamAV sources
since clamav-0.99 (1st December 2015):

/* Most of this file was derived from Yara 2.1.0 libyara/yara.h and
* other YARA header files. Following is the YARA copyright. */

Perhaps the Yara version to which the ClamAV implementation adheres
should be documented in

https://www.clamav.net/documents/using-yara-rules-in-clamav

and the section on limitations should be extended.

Is there a way to test Yara rules before asking ClamAV to apply them?
At the moment I simply send a RELOAD command to clamd - and hope that
it survives.

--

73,
Ged.
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Yara language version, ClamAV documentation. [ In reply to ]
Hi there,

On Mon, 24 May 2021, G.W. Haywood wrote:

> ...
> I'm not sure if the 'word boundary' atoms (\b, \B) are supported or
> not - I don't even know how to find out, except perhaps at the risk of
> crashing clamd. I *think* I managed to do that with bad Yara rule. :(
> ...

Now I'm sure.

Micah, would you prefer me to send you a private mail about it, or post
it on Bugzilla? I'm reluctant to publish it because a crash might be
exploitable, although with this one it would most likely be hard work.

A separate issue, I'm also seeing a problem with the syntax '.{,n}'.

A rule containing the following works fine, it matches my test sample:

8<----------------------------------------------------------------------
...
$unsubscribe = /reply.{0,30}no/ ascii nocase
...
condition:
6 of them
8<----------------------------------------------------------------------

In the same rule, the following doesn't match the same test sample:

$unsubscribe = /reply.{,30}no/ ascii nocase

The docs are very clear that the syntax is legal. It took a while to
nail that down...

--

73,
Ged.
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Yara language version, ClamAV documentation. [ In reply to ]
Hi Ged,

Sorry I was on vacation the past few days.

Bugzilla tickets are also private by default, though we're switching to use Github Issues soon, which are public-only.

Can you please send me a private mail about it? I'd like to give it a try.

-Micah

> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> G.W. Haywood
> Sent: Thursday, June 10, 2021 3:51 AM
> To: clamav-devel@lists.clamav.net
> Subject: Re: [Clamav-devel] Yara language version, ClamAV documentation.
>
> Hi there,
>
> On Mon, 24 May 2021, G.W. Haywood wrote:
>
> > ...
> > I'm not sure if the 'word boundary' atoms (\b, \B) are supported or
> > not - I don't even know how to find out, except perhaps at the risk of
> > crashing clamd. I *think* I managed to do that with bad Yara rule. :(
> > ...
>
> Now I'm sure.
>
> Micah, would you prefer me to send you a private mail about it, or post it on
> Bugzilla? I'm reluctant to publish it because a crash might be exploitable,
> although with this one it would most likely be hard work.
>
> A separate issue, I'm also seeing a problem with the syntax '.{,n}'.
>
> A rule containing the following works fine, it matches my test sample:
>
> 8<----------------------------------------------------------------------
> ...
> $unsubscribe = /reply.{0,30}no/ ascii nocase
> ...
> condition:
> 6 of them
> 8<----------------------------------------------------------------------
>
> In the same rule, the following doesn't match the same test sample:
>
> $unsubscribe = /reply.{,30}no/ ascii nocase
>
> The docs are very clear that the syntax is legal. It took a while to nail that
> down...
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml