Incorrect newline character in downloaded yara rules

[nobur]

hi,

We had a big trouble to identify what makes Raccine not working as intended on serval servers. Once updated by RaccineRulesSync.exe, yara files are not parsed anymore. Seems to be linked to the newline character used is those file ( LF vs CRLF ).

I suggest to add the following changes to the source code . add a reference to System.Text.RegularExpressions in the project.

In the "SyncContentFromUrl" function add the following declaration : String newLinePattern = "([^\r]\n)";

then replace : file.WriteLine(yararule); with file.WriteLine(Regex.Replace(yararule, newLinePattern, "\r\n"));

This could prevent this kind of isssue again. Bruno

[Neo23x0]

I'd say, the correct regex is "([\r]?\n)". In your version, it would remove the last character of each line since every character is [^\r].

[nobur]

My bad, you're true ! I was supposed to write [^\r](\n) for the capturing parenthesis only catch the \n that follow any character that is not a \n. ( meaning; if it's already \r\n, no need to replace it) but i think i have to review the replace call as well.... Your version is much easier to implement.

[nobur]

One more important information: Newline chars were not the only problem. Now that it is more convenient to read in a regular windows notepad, I did some more analysis. The rules that are currently available are incorrectly processed. This line has been added recently or ( $e_wbadmin and $p_delete and ($p_backup*)) and make the evaluation fail. So there is no blocked action anymore. it should probably be something like : or ( $e_wbadmin and $p_delete and and 1 of ($p_backup* ))

[Neo23x0]

Thanks, it got fixed

[nobur]

Since change is already done in the code and rule error has been corrected, i think we can close this issue. Thanks for your help.