search

JusticeRage / Manalyze

A static analyzer for PE executables.
GNU General Public License v3.0
1.01k stars 160 forks source link

Unable to parse ClamAV signatures #21

Closed BlackHoneyBear closed 6 years ago

BlackHoneyBear commented 7 years ago

C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py Downloading: main.cvd Bytes: 117892267 Rule Win.Trojan.EOL-1 seems to be malformed. Skipping... Downloading: daily.cvd Bytes: 41899296 Rule Eicar-Test-Signature already exists! Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping... Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping... Unable to translate a logical signature for Win.Trojan.B-468. Skipping... Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping... Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping... Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping... Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping... Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping... Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping... Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping... Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping... Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping... Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping... Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping... Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping... Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping... Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping... Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping... Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping... Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping... Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping... Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping... Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping... Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping... Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping... Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping... Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping... Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping... Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping... Unable to understand the following offset: 5c6a706567626c6970{-250}66666438

JusticeRage commented 7 years ago

Hi! Could you please provide additional information regarding what the issue is? ClamAV rules cannot be easily translated to Yara and some failures are to be expected for a few of them. To the best of my knowledge, this script remains the most comprehensive to date.

While a few rules are rejected, are the rest of them generated correctly?

BlackHoneyBear commented 7 years ago

no nothing can be generated

BlackHoneyBear commented 7 years ago

another way to do this is use sigtools provided with clamav to parse .cvd file and then use parse script provided with this code to convert into yara

JusticeRage commented 7 years ago

I have just tried generating the rules from the script, but it still works on my end. I'm afraid you'll have to provide more details as to what is going on.

BlackHoneyBear commented 7 years ago

C:\Users\50CAL\Desktop\test software\yara_rules>python update_clamav_signatures.py Downloading: main.cvd Bytes: 117892267 Rule Win.Trojan.EOL-1 seems to be malformed. Skipping... Downloading: daily.cvd Bytes: 41908540 Rule Eicar-Test-Signature already exists! Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping... Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping... Unable to translate a logical signature for Win.Trojan.B-468. Skipping... Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping... Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping... Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping... Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping... Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping... Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping... Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping... Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping... Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping... Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping... Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping... Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping... Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping... Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping... Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping... Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping... Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping... Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping... Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping... Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping... Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping... Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping... Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping... Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping... Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping... Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping... Unable to understand the following offset: 5c6a706567626c6970{-250}66666438 image

BlackHoneyBear commented 7 years ago

it parse main.cvd butt could not parsed daily,cvd files look above comment

JusticeRage commented 7 years ago

Everything is appended to clamav.yara... It seems that everything is working fine.

BlackHoneyBear commented 7 years ago

actualy daily.vcd is not appended because there is tar file and ndb anf ldb files which remains unresolved. this is because it was unable to parse

JusticeRage commented 7 years ago

Is the Python script throwing any kind of exception?

BlackHoneyBear commented 7 years ago

no not any exception you may need to reveiw the parser script

JusticeRage commented 7 years ago

Thanks for reporting this issue. I've finally looked into it and it should be fixed. Let me know if it works for you now!

MxResearch commented 6 years ago

I Got the issue while updating YARA signatures of Clam AV Even i am using new Python script:

Downloading: main.cvd Bytes: 117892267 Rule Win.Trojan.EOL-1 seems to be malformed. Skipping... Downloading: daily.cvd Bytes: 46149729 Rule Eicar-Test-Signature already exists! Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping... Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping... Unable to translate a logical signature for Win.Trojan.B-468. Skipping... Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping... Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping... Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping... Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping... Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping... Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping... Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping... Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping... Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping... Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping... Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping... Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping... Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping... Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping... Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping... Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping... Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping... Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping... Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping... Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping... Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping... Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping... Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping... Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping... Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping... Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping... Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping... Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping... Unable to understand the following offset: 5c6a706567626c6970{-250}66666438

Script I am using FYI parse_clamav.zip

Database not get updated upto latest DB

JusticeRage commented 6 years ago

I'm currently able to download and translate the official ClamAV signatures with the Python script. I'm not sure if it is because of a bugfix on my end or an update on the rules, but I guess I'll close the issues related to this script for now.