Discussion:
[clamav-users] How to know if yara rules are being run?
Mark Foley
2017-07-01 05:10:59 UTC
Permalink
I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
in my /var/lib/clamav directory.

I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.

--Mark

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Eric Tykwinski
2017-07-01 13:21:50 UTC
Permalink
Post by Mark Foley
I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
in my /var/lib/clamav directory.
I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
--Mark
My first suggestion would be make sure Yara rules are enabled in clamav.
So make a couple of files:
/*** test.yara ***/
rule Test_Yara_Rules : test
{
meta:
description = "Test Yara"
strings:
$test = "YaraTest" fullword ascii
condition:
$test
}
/***********/

echo YaraTest > test.txt

clamscan -d ./test.yara test.txt

Should show you:
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara to enable them.

PS. Talos guys, I’m loving the new website, a lot of info in there.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html
Mark Foley
2017-07-03 20:58:29 UTC
Permalink
Post by Eric Tykwinski
Post by Mark Foley
I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
in my /var/lib/clamav directory.
How can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
--Mark
My first suggestion would be make sure Yara rules are enabled in clamav.
/*** test.yara ***/
rule Test_Yara_Rules : test
{
description = "Test Yara"
$test = "YaraTest" fullword ascii
$test
}
/***********/
echo YaraTest > test.txt
clamscan -d ./test.yara test.txt
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)
Yes. I got exactly the same output as you show. Therefore, yara rules are enabled.

So then, I can I confirm the expetr.yara I created is being run?

--Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark Foley
2017-07-04 14:12:41 UTC
Permalink
Post by Mark Foley
Yes. I got exactly the same output as you show. Therefore, yara rules are enabled.
So then, how can I confirm the expetr.yara I created is being run?
???Mark
Mark,
We are getting off topic for ClamAV list. I don???t know what rule that they published, and thankfully haven???t had to deal with anything locally.
My guess would be to open the yara rule and check it out. You might be able to fake it with a hex editor to test it out, or you can search for sample files and see if they catch them. With Yara rules though you are usually only getting a small fragment of the infections, and probably a large portion of false positives. I use them for scanning backup archives personally to find web exploits, and the like, don???t deleted but find when the file was dropped.
Hope this helps,
Eric
Eric - you misunderstand my question. I'm not asking if the yara rule is
working as designed. I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email. All I did was put
expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ... In short, I have no feedback from clamav that it even
notices the presence of this rule.

Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?

--Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark Foley
2017-07-05 21:52:03 UTC
Permalink
Post by Mark Foley
Eric - you misunderstand my question. I'm not asking if the yara rule is
working as designed. I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email. All I did was put
expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ... In short, I have no feedback from clamav that it even
notices the presence of this rule.
Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?
--Mark
LogFile STRING
Enable logging to selected file.
Default: no
LogInfected STRING
This option allows you to tune what is logged when a message is infected. Possible values are Off (the default - nothing is logged), Basic (minimal info logged), Full (verbose info logged)
Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, rcpt_addr and i macroes are available in eom. In other words add a line like: Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
Postfix should be working fine with the default settings.
Default: disabled
Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.
Depending on your clamd.conf, it should show what DBs to load.
DatabaseDirectory STRING
Path to a directory containing database files.
OfficialDatabaseOnly BOOL
Only load the official signatures published by the ClamAV project.
Default: no
All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)
uint16(0) == 0x5A4D and
filesize < 1000000 and
any of them
Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.
So you could use something like PAR::Packer and try to compile a quick PERL script, but I would just put in a test yara rule like I email previously and send yourself an email. It should show up in the log file, and you???ll be sure it???s working.
Eric
Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule. I sent the message, but
nothing was detected. Although, not being versed in yara, I may need more
conditions set than that.

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark Foley
2017-07-05 22:11:48 UTC
Permalink
From: Mark Foley <***@novatec-inc.com>
Date: Wed, 05 Jul 2017 17:52:03 -0400
Organization: Novatec Software Engineering, LLC
To: clamav-***@lists.clamav.net
Subject: Re: [clamav-users] How to know if yara rules are being run?

I'm following up to my own message. I've confirmed that my clamav-milter *is*
running yara rules. I created the following rule:

rule testme
{
strings:
$st1 = "How now brown cow"

condition:
$st1
}

and put it in /var/lib/clamav/testme.yara. I had to make it owned by
clamav.clamav (owned by root failed), and I had to restart clamav-milter.

I sent an email containing the "brown cow" string to a recipient on this host
and clamav-milter caught it: clamav-milter.log:

Wed Jul 5 18:06:46 2017 -> Message v65M6iRh026596 from <***@server.novatec-inc.com> to <UNKNOWN> with subject 'test4' message-id '<***@server.novatec-inc.com>' date 'Wed, 05 Jul 2017 18:06:42 -0400' infected by YARA.testme.UNOFFICIAL

So, the question posted below remains:

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux? I'm specifically asking about Eric's comment, "it requires a Win32 executable".

--Mark
Post by Mark Foley
Eric - you misunderstand my question. I'm not asking if the yara rule is
working as designed. I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email. All I did was put
expetr.yara in /var/lib/clamav. That's it. I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ... In short, I have no feedback from clamav that it even
notices the presence of this rule.
Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?
--Mark
LogFile STRING
Enable logging to selected file.
Default: no
LogInfected STRING
This option allows you to tune what is logged when a message is infected. Possible values are Off (the default - nothing is logged), Basic (minimal info logged), Full (verbose info logged)
Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, rcpt_addr and i macroes are available in eom. In other words add a line like: Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
Postfix should be working fine with the default settings.
Default: disabled
Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.
Depending on your clamd.conf, it should show what DBs to load.
DatabaseDirectory STRING
Path to a directory containing database files.
OfficialDatabaseOnly BOOL
Only load the official signatures published by the ClamAV project.
Default: no
All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)
uint16(0) == 0x5A4D and
filesize < 1000000 and
any of them
Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.
So you could use something like PAR::Packer and try to compile a quick PERL script, but I would just put in a test yara rule like I email previously and send yourself an email. It should show up in the log file, and you???ll be sure it???s working.
Eric
Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule. I sent the message, but
nothing was detected. Although, not being versed in yara, I may need more
conditions set than that.

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2017-07-06 15:34:53 UTC
Permalink
Post by Mark Foley
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?
Any valid signature file will be loaded and used.

Any *invalid* signature file will cause clamd to exit.

If clamd is running, and you've been able to confirm the signature file
is being loaded, the signature will be checked.

Signatures are not platform-specific except in terms of what they're
intended to match on.
Post by Mark Foley
I'm specifically asking about Eric's comment, "it requires a Win32 executable".
To answer this specific point, one of the signature fragments checks a
byte pattern in a certain location to help ensure that it only triggers
on files that are Win32 executables.

More generally, to confirm whether a specific signature is doing what
it's supposed to, you need to have a file to test with that you know is
supposed to match on that signature.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark Foley
2017-07-06 17:04:29 UTC
Permalink
Post by Kris Deugau
Post by Mark Foley
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?
Any valid signature file will be loaded and used.
Any *invalid* signature file will cause clamd to exit.
If clamd is running, and you've been able to confirm the signature file
is being loaded, the signature will be checked.
Signatures are not platform-specific except in terms of what they're
intended to match on.
Post by Mark Foley
I'm specifically asking about Eric's comment, "it requires a Win32 executable".
To answer this specific point, one of the signature fragments checks a
byte pattern in a certain location to help ensure that it only triggers
on files that are Win32 executables.
More generally, to confirm whether a specific signature is doing what
it's supposed to, you need to have a file to test with that you know is
supposed to match on that signature.
-kgd
Thanks Kris, that answers my question. I somehow incorrectly took from Eric's
comment that the rule would only run on Windows, but I get that the rule is
inspecting the message for a Windows executable.

--Mark
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...