virustotal / yara-ci-issues Goto Github PK

hello,

would it be possible to raise the limit of false positives shown? it's about 200 at the moment which is quickly reached with big rulesets. and it's not like some more kilobytes of output should be a problem nowadays.

False positives found

1052023 files from the [NSRL](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) were scanned, 2004 were detected.
...
and 1812 more ...

best regards
arnim

€#/#/2

It seems the rule analysis check fails, when I use valid unicode characters. A scan with this rule works without any issues (yara 4.0.5).

 Check failure on line 7 in yara/source/PHP.generic.symbols.1.yar

@virustotal-yara-ci virustotal-yara-ci / Rules Analysis

yara/source/PHP.generic.symbols.1.yar#L7

non-ascii character "\xe2"

rule PHP_generic_symbols_1 : malicious php
{
    meta:
        created_at = "2021/04/14"
        author = "Daniel Ruf"
    strings:
        $string1 = "$▀"
...
    condition:
        any of them
}

Should I simply push-force the same commit again to trigger a new build or should I wait until this is fixed?

It would be helpful to run Yara CI only for specific branches and not all.

Hey guys, this project is really cool. A great contribution to the community.

One issue I had is in finding the license agreement on using the tool. Do you guys have any documentation on how YARA rules that are tested are retained or used by VirusTotal?

hello virus total folks,

is there a way that yara-ci can be installed for github enterprise customers?

best,
xander

Same issue as reported some time back in #12 is hitting us now. It worked before but stopped working on 7th August 2023 around 12:00 CEST.

I have nothing changed and right now no new yara CI run is triggered.

Similar to the feature to ignore files it would be useful to ignore singe rules by rule name or tags to exclude rules which will trigger false positives because they're hunting rules and intentionally broad.

For example:

rules:
  ignore:
  - "*hunting*"

ruletags:
  ignore:
  - "hunt"

current scan:

previous scans:

Last time (11th of September) they still worked. Now they don't.

It just never finishes any of the tasks:

Hello guys, thanks for this feature, here is my config

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

files:
  accept:
  - "data/yara/**.yar"

false_positives:
  ignore:
    - rule: "CobaltStrikeBeacon"

And it always match the FP rule

https://github.com/kevoreilly/CAPEv2/runs/1538092106

any idea what could be wrong?

The whole documentation of how to install and configure YARA-CI is great. However, I feel like this sentence should be followed by some more details:

Once the application is installed, your YARA rules will be analyzed on every commit you make to the repository.

In particular: Where can you see the results of the analysis? I don't see any results and also don't receive emails. Since the installation is literally just takes a few clicks, it would be great to also have a short pointer where to look for the results.

hello,

it would be nice to see more info in the false positives list like e.g. filesize and file type because that helps in quickly getting an overview if these conditions could be used to improve the rule without clicking on all the files.

regards
arnim