search

BayshoreNetworks / yextend

Yara integrated software to handle archive file data.
BSD 3-Clause "New" or "Revised" License
299 stars 59 forks source link

[develop] Commas in YARA metadata create multiple rule matches #16

Closed austinbyers closed 6 years ago

austinbyers commented 6 years ago

The logic to parse the output into JSON format presumably splits fields by comma, but YARA metadata can also include commas. The result is what looks like multiple different rule matches when there is actually only one.

Steps to Reproduce

Compile yextend from the develop branch.

test.yara:

rule dummy_true {
    meta:
        description = "One, Two, Three"

    condition:
        true
}

LD_LIBRARY_PATH=/usr/local/lib ./yextend -r test.yara -t test.yara -j produces the following:

[
    {
        "file_name": "test.yara",
        "file_signature_MD5": "8aa26a676c45edd7953962f9442abcfb",
        "file_size": 103,
        "scan_results": [
            {
                "file_signature_MD5": "8aa26a676c45edd7953962f9442abcfb",
                "file_size": 103,
                "non_archive_file_name": "test.yara",
                "scan_type": "Yara Scan (Goodwill guess  Encrypted file detected)",
                "yara_matches_found": true,
                "yara_rule_id": "dummy_true:[description=One"
            },
            {
                "file_signature_MD5": "8aa26a676c45edd7953962f9442abcfb",
                "file_size": 103,
                "non_archive_file_name": "test.yara",
                "scan_type": "Yara Scan (Goodwill guess  Encrypted file detected)",
                "yara_matches_found": true,
                "yara_rule_id": "Two"
            },
            {
                "file_signature_MD5": "8aa26a676c45edd7953962f9442abcfb",
                "file_size": 103,
                "non_archive_file_name": "test.yara",
                "scan_type": "Yara Scan (Goodwill guess  Encrypted file detected)",
                "yara_matches_found": true,
                "yara_rule_id": "Three]"
            }
        ],
        "yara_matches_found": true,
        "yara_ruleset_file_name": "test.yara"
    }
]

As you can see, it looks like 3 separate matches with 3 different rule IDs

dre commented 6 years ago

Fix posted in the develop branch and will be part of the next release.

austinbyers commented 6 years ago

Fantastic, thanks so much! Was not expecting this to be fixed in the next release 👍