search

PUNCH-Cyber / YaraGuardian

Django web interface for managing Yara rules
Apache License 2.0
190 stars 43 forks source link

Suspected character escape issue in strings #12

Closed redlazarus closed 7 years ago

redlazarus commented 7 years ago

Received error message:

{"success_count":143,"message":"unknown text at include; token of type ID","last_success":"Trojan_DNS_Calc_String"}

Rule in question contained the following strings that likely caused the error:

strings:
    $a = "%c%c%c%c%c.exe"
    $b = "~dfds3.reg"

condition:
    all of them
redlazarus commented 7 years ago

Further testing showed this was an issue with misplaced include statements in the uploaded file. No fix required.