Comments (6)
The problem is not that clamav_to_yara.py is introducing the invalid jumps but
rather that the program fails to recognize several signature forms
In this case, the form is an anchored signature described in Creating
signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf (p8) as
HEXSIG[x-y]aa or aa[x-y]HEXSIG
Match aa anchored to a hex-signature, see https://wwws.clamav.net/
bugzilla/show_bug.cgi?id=776for discussion and examples.
The script has no transform for the [x-y] constuct that appears in quite a few
clamav signatures and simply ignores this, allowing the [x-x] cases through to
the yara output where they cause an error.
My solution is to add a transform for this case. I am attaching my modified
version. The patch is immediately after the initialization of the rule list.
It must precede the introduction of any yara jumps as they will trigger the
transform involved. This should be harmless, but why take a chance. Note: I
am not a python programmer and there may be better or other ways to do this.
In addition, there are several other cases the program does not handle:
rules starting with 5? run afoul of a yara "no initial wildcard" rule. My
workaround is to turn the rule into 16 alternatives starting with 50 ... 5F.
The yara (50|51|...|5F) form provokes the same error. yara issue 34 addresses
this.
Also, the script rejects as empty some rules in the W32_Virut_ia, etc. family.
These rules start with a
(hex | hex )
construct and are not empty. I have not looked closely, but this is probably
another transform omission. Unfortunately, the obvious translation of these
rules will run afoul of the same problem noted above and fixing it is equally
complicated at the clamav_to_yara level.
Original comment by [email protected]
on 24 Jan 2012 at 11:28
Attachments:
from malwarecookbook.
Thank you for the patches! I'll get it committed to the trunk shortly.
Original comment by [email protected]
on 2 Feb 2012 at 3:56
from malwarecookbook.
No, they are dealing with the case of matching ranges.
They aren't matching the "range" {\d-}, though.
The problem is on line 110, when processing a case of a range with a start
value, but no end value. They are substituting a phantom second value, where
none exists. The substitution statement fails, and the malformed range gets
passed through untouched.
I patched the file to simply substitute the value "1" in, giving a range of
"0-1". This is incorrect, but I know nothing about yara or ClamAV. The
offending rule won't match anything, but it was broken to begin with, so my
patch leads to at least an output that won't crash yara.
Please fix this, thanks.
Original comment by [email protected]
on 22 Feb 2012 at 8:50
Attachments:
from malwarecookbook.
Had less issues with these others versions of the script, but still had issues.
Side note - created ~21MB YARA rule file which took too long for YARA or
volatility/malfind to process... split it up into 512 chunks and processed
through an array - much better.
Original comment by [email protected]
on 22 Mar 2012 at 12:50
from malwarecookbook.
[deleted comment]
from malwarecookbook.
Hey guys,
Fixed all of the issues I had (for now) with latest main.ndb from ClamAV.
Here is the patch:
- Fix invalid [4-4] ranges
- Fix 5?5?... + (8a... errors (through regexp construct ;))
- Fix silent error about this signature (using a hack):
EOL.0.94.2:0:*:This ClamAV version has reached End of Life! Please upgrade to
version 0.95 or later. For more information see www.clamav.net/eol-clamav-094
and www.clamav.net/download:0:38
I just ignore it (should be converted to proper string though).
The hack is about detecting '/' presence.
Cheers,
Original comment by [email protected]
on 29 Oct 2012 at 6:23
Attachments:
from malwarecookbook.
Related Issues (20)
- ApiHooks plugin takes too long time to scan (I think) HOT 1
- list tasks prob with malware.py r94 HOT 1
- list of apihooks possibly incomplete HOT 2
- issue with impscan HOT 1
- typo in pescanner.py wrt clamscan status code HOT 1
- Add --physical-offset option to psxview to synchronize eprocess offsets HOT 1
- IOError: [Errno 22] Invalid argument when running malfind.py HOT 3
- malware2.1_alpha.py Error HOT 3
- avsubmit.py & VT API 2.0
- volatility 2.1 alpha && malware2.1_alpha.py trunk psxview command bug HOT 1
- ssdeep_proc.py not showing the results on windows 7 x64 machir
- malfind option error HOT 6
- malware plugins not installed with 2.1 alpha HOT 2
- dbmgr.py has a gramatical error which halts processing HOT 2
- av_multiscan indent error HOT 1
- peid_to_yara.py HOT 1
- Patch for /trunk/3/8/pescanner.py
- Seeing lots of [invalid skip in string "$a1"] when running a Yara Scan with ClamAV Converted Signatures HOT 9
- Patch for /trunk/3/5/capabilities.yara
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from malwarecookbook.