Discussion:
[clamav-users] YARA: filesize condition
(too old to reply)
Axb
2016-06-30 14:06:07 UTC
Permalink
When trying to use filesize conidtion in a Yara sig

rule FileSize_200KB
{
condition:
filesize < 200KB
}

I get

LibClamAV Warning: load_oneyara: yara rule contains no supported
strings, skipping YARA.FileSizeExample

Am I missing something or if indeed not supported, could it please be
added? Would help to "failsafe" rules

Thanks

Axb
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steven Morgan
2016-06-30 15:26:07 UTC
Permalink
Post by Axb
When trying to use filesize conidtion in a Yara sig
rule FileSize_200KB
{
filesize < 200KB
}
Hi,

That is correct. ClamAV uses matching of yara strings to drive the yara
condition. filesize will work in a yara condition in ClamAV, but only when
there is a string match. I'd suppose something like this should work:

rule Filesize_200KB
{
strings:
$abc = "abc"

condition:
($abc and not $abc) and filesize < 200KB
}


Steve
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Paul Kosinski
2016-06-30 18:27:40 UTC
Permalink
On Thu, 30 Jun 2016 11:26:07 -0400
Post by Steven Morgan
Post by Axb
When trying to use filesize conidtion in a Yara sig
rule FileSize_200KB
{
filesize < 200KB
}
Hi,
That is correct. ClamAV uses matching of yara strings to drive the
yara condition. filesize will work in a yara condition in ClamAV, but
only when there is a string match. I'd suppose something like this
rule Filesize_200KB
{
$abc = "abc"
($abc and not $abc) and filesize < 200KB
}
Steve
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Shouldn't exactly one 'and' be an 'or' in:

"($abc and not $abc) and filesize < 200KB"
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Steven Morgan
2016-06-30 19:44:09 UTC
Permalink
On Thu, Jun 30, 2016 at 2:27 PM, Paul Kosinski <clamav-
Post by Paul Kosinski
"($abc and not $abc) and filesize < 200KB"
Yes, the first 'and' must be an 'or'. Thank you!

Steve
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...