Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yararules problem loading #384

Closed
MandiYang opened this issue Apr 4, 2021 · 6 comments
Closed

yararules problem loading #384

MandiYang opened this issue Apr 4, 2021 · 6 comments

Comments

@MandiYang
Copy link

MandiYang commented Apr 4, 2021
edited
Loading

Output of scanning one file with clamav when using yararules:

LibClamAV Warning: load_oneyara: string is too short YARA.possible_exploit
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.possible_exploit
LibClamAV Error: yyerror(): /var/lib/clamav/maldoc_somerules.yar line 235 undefined identifier "uint32be"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/maldoc_somerules.yar, successfully loaded 14 rules.
LibClamAV Error: yyerror(): /var/lib/clamav/Maldoc_CVE_2017_8759.yar line 17 undefined identifier "uint32be"
LibClamAV Error: yyerror(): /var/lib/clamav/Maldoc_CVE_2017_8759.yar line 86 undefined identifier "RTFFILE"
LibClamAV Warning: load_oneyara[verify]: wide modifier [w] is not supported for regex subsigs
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.CVE_2017_8759_SOAP_txt
LibClamAV Warning: cli_loadyara: failed to parse or load 3 yara rules from file /var/lib/clamav/Maldoc_CVE_2017_8759.yar, successfully loaded 4 rules.
LibClamAV Error: yyerror(): /var/lib/clamav/Maldoc_hancitor_dropper.yar line 20 undefined identifier "uint32be"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/Maldoc_hancitor_dropper.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/Maldoc_APT10_MenuPass.yar line 27 undefined identifier "hash"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/Maldoc_APT10_MenuPass.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file

Fix this bug plz!
@extremeshok
Copy link
Owner

OS, Version, Version of config and script

@MandiYang
Copy link
Author

MandiYang commented Apr 6, 2021
edited
Loading

Ubuntu20.04, clamav-unofficial-sigs version 7.25 and config version v97

@perplexityjeff
Copy link
Contributor

perplexityjeff commented Apr 12, 2021
edited
Loading

Is this even a bug with the script or is it something that is in the yara rules repo?

@MandiYang Could you maybe as well post your version of ClamAV? Just in case.

Related? #203

@MandiYang
Copy link
Author

MandiYang commented Apr 12, 2021
edited
Loading

problem with yara rules repo, not the script but disable theese yara rules when setting database rating, then I close this issue. clamav version is 0.102.4

@perplexityjeff
Copy link
Contributor

perplexityjeff commented Apr 13, 2021
edited
Loading

I suppose that the pull request I made disables the Yara rules that are causing issues from master.conf.

#387

@MandiYang
Copy link
Author

Ok, I close this issue

@pettai pettai mentioned this issue May 31, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@extremeshok @perplexityjeff @MandiYang