Seeing lots of [invalid skip in string "$a1"] when running a Yara Scan with ClamAV Converted Signatures

[GoogleCodeExporter]

As the summary states, after using the clamav_to_yara.py script to convert 
uncompressed ClamAV signature file to Yara signature, I'm seeing a lot of those 
 [invalid skip in string  "$a1"]. Is this a bug?

Original issue reported on code.google.com by gle...@gmail.com on 11 Feb 2014 at 2:09

[GoogleCodeExporter]

Here is an example.

./ClamAV-to-Yara/clamav-full.yara:9287: invalid skip in string "$a1"

rule Trojan_Crypted_78
{
strings:
        $a0 = { 35??0000008b4df8[16]eb02eb02ebb28b }
        $a1 = { 83????6a00682900000068290000006821000000686b0000006877000000687600000068290000006820000000682b00000068370000006820000000680e00000068[4-4]e8 }
        $a2 = { 83????6a00683c0000006837000000682a0000006828000000682000000068080000006836000000683600000068200000006826000000682a0000006837000000681500000068200000006831000000682c0000006837000000681200000068[4-4]e8 }
        $a3 = { 83????6a006821000000682400000068200000006837000000682d000000681100000068200000006828000000683000000068360000006820000000681700000068[4-4]e8 }
        $a4 = { 83????6a00682900000068290000006821000000686b0000006829000000682900000068010000006831000000680b00000068[4-4]e8 }

condition:
        $a0 and $a1 and $a2 and $a3 and $a4
}

Original comment by gle...@gmail.com on 11 Feb 2014 at 2:40

[GoogleCodeExporter]

I think it might be taking an exception to the [4-4] portion.

Original comment by gle...@gmail.com on 11 Feb 2014 at 3:01

[GoogleCodeExporter]

Check out the following issue, someone posted a patch for this I believe: 
https://code.google.com/p/malwarecookbook/issues/detail?id=35

Original comment by michael.hale@gmail.com on 11 Feb 2014 at 3:05

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Thank you Michael for pointing me to that thread. By the way how do I apply 
that patch to the existing script?

Original comment by gle...@gmail.com on 11 Feb 2014 at 3:10

[GoogleCodeExporter]

change into the directory contains your clamav_to_yara.py script and type:

$ patch -p0 < /path/to/the.patch 

Original comment by michael.hale@gmail.com on 11 Feb 2014 at 3:14

[GoogleCodeExporter]

I was experiencing some patch HUNK issues, but I was able to troubleshoot 
around the issue. At first I thought I might have had an older 
clamav_to_yara.py so I downloaded the two that were posted in that thread that 
you redirected me to. Neither of the of them worked.

But I found the issue. Originally I obtained a copy of the clamav_to_yara.py 
from a cut-n-paste from the Malwarecookbook site. It worked, but I guess some 
of the formatting might have gotten ruined. Then I saw the link for the raw 
file and used a wget to retrieve that. Then the patch process worked. Thank you!

Original comment by gle...@gmail.com on 11 Feb 2014 at 3:51

[GoogleCodeExporter]

After applying the patch and double checking each subtraction/addition from the 
patch file to my working file, I'm still seeing that invalid skip string issue. 
I did notice that the first part of the patch might have an issue. The line 
that is replaced with identical code. The signature lines below are identical. 

# handle the ClamAV style jumps
# {-n} is n or less bytes
jump_regex = re.compile('(\{-(\d+)\})')
- signature = jump_regex.sub('{0-\g<2>}', signature)
+ signature = jump_regex.sub('{0-\g<2>}', signature)

# {n-} is n or more bytes
jump_regex = re.compile('(\{(\d+)-\})')

Original comment by gle...@gmail.com on 11 Feb 2014 at 7:25

[GoogleCodeExporter]

I've just been experimenting with ClamAV rules for Yara and the fix is still 
not in committed to the repository. I've also tried with the .patch, but 
couldn't get the program to work, which always throws the "[invalid skip in 
string $a1" errors.

Please update the repository accordingly or provide better information about 
fixing the errors. 

Original comment by evangeline.eleanor@gmail.com on 22 Feb 2015 at 9:46