Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.48k stars 604 forks source link

expl_outlook_cve_2023_23397.yar syntax error #249

Open celevra opened 1 year ago

celevra commented 1 year ago

hi,

i'm new to yara rules, but here i get an syntax error:

 yara expl_outlook_cve_2023_23397.yar /tmp/Test\ Meeting.msg
expl_outlook_cve_2023_23397.yar(65): warning: $u2 is slowing down scanning
expl_outlook_cve_2023_23397.yar(96): error: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_

also, is there a way to get it compatible with clamd?

clamscan /tmp/Test\ Meeting.msg
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 30 undefined identifier "uint32be"
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 72 undefined identifier "uint32be"
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 96 syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
LibClamAV Warning: cli_loadyara: failed to parse or load 3 yara rules from file /var/lib/clamav/expl_outlook_cve_2023_23397.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
/tmp/Test Meeting.msg: OK

regards

celevra commented 1 year ago

updating to newest yara removed the syntax error, but it didn't recognized my bad .msg Test Meeting.zip

ruppde commented 1 year ago

are you sure that .msg triggers the exploit?

celevra commented 1 year ago

I've created the msg with this poc: https://github.com/api0cradle/CVE-2023-23397-POC-Powershell