search

CybercentreCanada / CCCS-Yara

YARA rule metadata specification and validation utility / Spécification et validation pour les règles YARA
MIT License
98 stars 19 forks source link

Bug: Invalid yara rules pass validation #38

Closed JohnConnorRF closed 3 years ago

JohnConnorRF commented 3 years ago

Yara validation appears to succeed when the rule doesn't contain a closing bracket. Example yara rule: 

rule APT_CN_TestYara {
   meta:
      description = "Detect malware"
      author = "TEST"
      date = "2021-01-12"
      version = "1.0"

   strings:
      $s1 = "test"
   condition:
      $s1

In case its relevant, there is no newline at the end of the file. This was tested using the default CCCS_YARA.yml file from commit (91e66c4)

cccs-gm commented 3 years ago

Thank you for bringing this bug to our attention. I am currently looking it the best method of catching it.

cccs-gm commented 3 years ago

Interestingly this is the first case of a malformed yara rule that the plyara library didn't return an error for. I expect the fix to be rolled out tomorrow.

cccs-gm commented 3 years ago

We have added a new branch with the bug fix. It is undergoing review but I expect it will be setup to merge soon.

Thank you again for bringing this to our attention.

cccs-gm commented 3 years ago

Sorry for the delay @JohnConnorRF. The bug fix ended up creating some issues of its own. This will catch the case you brought up and should potentially catch some others in the future.

cccs-gm commented 3 years ago

To clarify the fix is live in master. We plan to have a new release later this week.