Discussion:
[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"
Axb
2016-08-11 09:21:58 UTC
Permalink
Guys,

clamscan --database=test.yar blah.html

LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"

LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA engine?

Thanks!
Axb
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steven Morgan
2016-08-11 15:08:00 UTC
Permalink
filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
Post by Axb
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
$BLAH = "blah"
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Axb
2016-08-11 17:26:15 UTC
Permalink
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...

Will try to find it again.
Post by Steven Morgan
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
Post by Axb
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
$BLAH = "blah"
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Axb
2016-08-11 17:29:13 UTC
Permalink
Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/

see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.
Post by Axb
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
Post by Steven Morgan
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
Post by Axb
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
$BLAH = "blah"
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Axb
2016-08-11 17:32:49 UTC
Permalink
In that post aithor states:

"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."

hmm... now how the heck do we get to happen with ClamAv? :)

.. talking to myself...
Post by Axb
Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
Post by Axb
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
Post by Steven Morgan
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
Post by Axb
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
$BLAH = "blah"
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clam
Benny Pedersen
2016-08-11 17:44:48 UTC
Permalink
Post by Axb
"I created some YARA rules that use the external variable „filename“
to work. LOKI and THOR use the „filename“ and other external variables
by default."
hmm... now how the heck do we get to happen with ClamAv? :)
.. talking to myself...
+1

try see foxhole rules, imho it can match filenames and sizes, but i wish
it was more dokumented

also logical signatures in clamav is very simple, just wish it was more
dokumented

try compiled yara rules with clamav, not source rules, dont know if that
makes a diffrence for clamav


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/c
Steve basford
2016-08-11 17:58:22 UTC
Permalink
This was on the blog....

YARA rules using any of the following features will be flagged in error,
and the respective rules will be disabled:

Single byte YARA string components – currently in the ClamAV matcher, all
strings, as well as components of strings delimited by wild cards, must be
at least two bytes in length

External variables – variables referenced in YARA conditions whose value
may be set using the ‘yara –d’ command line option.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Post by Axb
"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."
hmm... now how the heck do we get to happen with ClamAv? :)
.. talking to myself...
Post by Axb
Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
Post by Axb
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
Post by Steven Morgan
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
Post by Axb
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
$BLAH = "blah"
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA engine?
Thanks!
Axb
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.

Loading...