Open pettai opened 2 years ago
Yara's uint32be()
feature is a really neat feature. ClamAV offers a similar capability through the "byte compare" subsignature for logical signatures: https://docs.clamav.net/manual/Signatures/LogicalSignatures.html#byte-compare-subsignatures
ClamAV's byte compare feature allows not only raw byte comparison with different endianness, signedness, and byte width. And it also enables evaluation from decimal text and hex text numbers instead of evaluating the raw bytes.
But ClamAV's byte compare feature requires a different pattern as a trigger, with an offset from the start of that pattern match, so unfortunately it will not translate directly to Yara's uint32be()
feature. That is, I don't expect we can simply map the Yara functionality to ClamAV's functionality the way we have with Yara's text and regex pattern matching. Adding the Yara feature would therefore require an entirely new feature in ClamAV to evaluate bytes at an exact offset without anchoring to a pattern match, and so is unlikely to happen soon. I'm not saying it's not a great request, just that it's not an easy translation from an existing ClamAV signature feature.
Thanks for your insights @micahsnyder
I see this mainly as an usability feature with ClamAVs Yara-scan support. New Yara-rules tend to utilize the full yara keyword "palette", and then it becomes hard to just grab and utilize the yara rules supplied form various sources nowadays, so ClamAV users have to spend time on converting them to fit (or just give up because lack of knowledge etc.)
(btw. I also noted that the documentation at https://docs.clamav.net/manual/Signatures/LogicalSignatures.html#byte-compare-subsignatures lacks examples, that would also be helpful to provide)
Agreed! It definitely needs more examples. A lot of the signature types do, in fact. :(
Describe the bug
uint32be
is Yara keyword that has been around since 2014 (Yara v3.2.0) and is used in some yara-rules to find malicious contents, however these rules cannot be utilized by ClamAV yet today...This has been reported at other places too: https://forums.gentoo.org/viewtopic-t-1035172-start-0.html https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1883857 https://www.mail-archive.com/clamav-users@lists.clamav.net/msg41480.html https://github.com/extremeshok/clamav-unofficial-sigs/issues/384
How to reproduce the problem
Download https://raw.githubusercontent.com/Yara-Rules/rules/56c5e06b41fb9a6e8331600d2ab136d426c52bf6/maldocs/Maldoc_CVE_2017_11882.yar
Attachments
You'll find some yara-rules with this yara-keyword that won't load here: https://github.com/Yara-Rules/rules/search?q=uint32be&type=code and some more here: https://github.com/Neo23x0/signature-base/search?q=uint32be&type=code