Hello All,
I am not sure whether its a basic question...but I am struggling with this
issue for a few days. I have created a rule with the following condition.
=======
condition:
is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4)
========
Ideally, I want to scan the files only under 1KB. But it is triggering for
files which is bigger than 1KB. For example.
========
[root@server1 ~]# stat -c '%n %s' /home/gal2.php
/home/gal2.php 3693
[root@server1 ~]# clamscan -d me.yara /home/gal2.php
/home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND
===========
So as you can see the file is 3K+ in size but still triggering the rule. If
I reduce the filesize to 600 it will work fine. What can be the cause? But
when I try using direct YARA command this issue is not happening.
Any help will be appreciated...thanks in advance.
--
Regards....
Nibin.
I am not sure whether its a basic question...but I am struggling with this
issue for a few days. I have created a rule with the following condition.
=======
condition:
is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4)
========
Ideally, I want to scan the files only under 1KB. But it is triggering for
files which is bigger than 1KB. For example.
========
[root@server1 ~]# stat -c '%n %s' /home/gal2.php
/home/gal2.php 3693
[root@server1 ~]# clamscan -d me.yara /home/gal2.php
/home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND
===========
So as you can see the file is 3K+ in size but still triggering the rule. If
I reduce the filesize to 600 it will work fine. What can be the cause? But
when I try using direct YARA command this issue is not happening.
Any help will be appreciated...thanks in advance.
--
Regards....
Nibin.