Running yara with the -s flag shows that both ft_java_class and ft_macho have a similar string they're targeting:
ft_java_class ../datar/fsf_dump_1485954008_9700feb2e081ce6a0eb9d8d6c10604e7/
0x0:$class: CA FE BA BE
ft_macho ../datar/fsf_dump_1485954008_9700feb2e081ce6a0eb9d8d6c10604e7/
0x0:$FAT_MAGIC: CA FE BA BE
@zcatbear, is the $FAT_MAGIC string a sufficient enough trigger for a macho file if its the only string observed and is at the 0 offset? Unfortunately, thats the same string and offset for the java_class signature, so we'd need to add either additional conditions to the java_class signature or the macho signature.
Unfortunately because of the fact that both signatures need that exact string at the same offset and have no other conditionals / strings required to trigger a hit, we can't exactly just say in ft_macho that we're going to ignore hits on that string if we also had a fit on ft_java_class--like below.
rule ft_macho
{
meta:
author = "Jamie Ford"
company = "BroEZ"
lastmod = "September 5 2016"
desc = "Signature to trigger on mach-o file format."
strings:
$MH_CIGAM_64 = { CF FA ED FE }
$MH_MAGIC_64 = { FE ED FA CF }
$MH_MAGIC_32 = { FE ED FA CE }
$MH_CIGAM_32 = { CE FA ED FE }
$FAT_MAGIC = { CA FE BA BE }
$FAT_CIGAM = { BE BA FE CA }
condition:
($MH_CIGAM_64 at 0) or ($MH_MAGIC_64 at 0) or ($MH_CIGAM_32 at 0) or ($MH_MAGIC_32 at 0) or ($FAT_MAGIC at 0 and not ft_java_class) or ($FAT_CIGAM at 0)
}
while working on #40 I noticed that ft_macho was firing on a java class file:
Running yara with the -s flag shows that both ft_java_class and ft_macho have a similar string they're targeting:
@zcatbear, is the $FAT_MAGIC string a sufficient enough trigger for a macho file if its the only string observed and is at the 0 offset? Unfortunately, thats the same string and offset for the java_class signature, so we'd need to add either additional conditions to the java_class signature or the macho signature.
Unfortunately because of the fact that both signatures need that exact string at the same offset and have no other conditionals / strings required to trigger a hit, we can't exactly just say in ft_macho that we're going to ignore hits on that string if we also had a fit on ft_java_class--like below.