Doesn't work with Yara-Rules?

[TLINDEN]

Hello,

I can't get it to work at all. I have the following rule (from Yara-Rules):

rule suspicious_version : PDF raw
{
    meta:
        author = "Glenn Edwards (@hiddenillusion)"
        version = "0.1"
        weight = 3

    strings:
        $magic = { 25 50 44 46 }
        $ver = /%PDF-1.\d{1}/
    condition:
        $magic in (0..1024) and not $ver
}

If I scan an infected PDF with this, I get nothing:

% yara clamav-yara-rules/suspicious-version.pdf.yara samples/vir.pdf ; echo $?
0

However, If I do the same with ClamAV, I get:

% clamscan -d clamav-yara-rules/suspicious-version.pdf.yara samples/vir.pdf 
samples/vir.pdf: YARA.suspicious_version.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.038 sec (0 m 0 s)

I am using latest yara (version 3.8.1). I also tried the 3.7 branch, just in case current master is instable, to no avail - same result. OS is FreeBSD 10.3.

What am I doing wrong?

[GWHAYWOOD]

I don't know what you're doing wrong but when I took your rules file and ran it here using Yara 3.9 it worked fine. Perhaps your PDF files have a $ver which matches your regex?

If you're still troubled by this (I know your OP was a long time ago) please let me have a sample file to scan.