jovimon
commented
9 years ago Hi Michal,
Thank you very much for your comments and using our ruleset.
First error states unknown module "androguard". Have you compiled the androguard module?
If you want to use most of the files on the Mobile Malware folder, you have to compile it manually, as it doesn't come bundled with yara. Detailed instructions can be found here.
Something similar happens with cuckoo module. More information here.
Once you have these two modules in your Yara, most of the errors will dissappear.
Regarding the duplicated identifier errors, we will review them and get rid of the duplicates soon.
Regards,
Hello there seems to be a lot of duplicities, even in the non-deprecated folders. It makes it difficult to use the project without some manual tweaks.
To reproduce:
Output are these errors: $ yarac ruleset rylesetc ruleset(804): error: unknown module "androguard" ruleset(830): error: invalid field name "app_name" ruleset(856): error: invalid field name "certificate" ruleset(975): error: invalid field name "package_name" ruleset(998): error: invalid field name "permission" ruleset(1018): error: invalid field name "permission" ruleset(1030): error: invalid field name "certificate" ruleset(1053): error: invalid field name "url" ruleset(1060): error: unknown module "cuckoo" ruleset(1109): error: invalid field name "network" ruleset(1184): error: invalid field name "app_name" ruleset(1191): error: invalid field name "app_name" ruleset(1212): error: invalid field name "app_name" ruleset(1222): error: invalid field name "app_name" ruleset(1265): error: invalid field name "package_name" ruleset(1302): error: invalid field name "certificate" ruleset(1339): error: invalid field name "certificate" ruleset(1392): error: invalid field name "package_name" ruleset(1412): error: invalid field name "package_name" ruleset(1427): error: invalid field name "package_name" ruleset(1441): error: invalid field name "package_name" ruleset(1451): error: invalid field name "activity" ruleset(1461): error: invalid field name "package_name" ruleset(1496): error: duplicated identifier "facebook" ruleset(1521): error: duplicated identifier "koodous" ruleset(1548): error: invalid field name "certificate" ruleset(1569): error: invalid field name "app_name" ruleset(3525): error: duplicated identifier "Win7Elevatev2" ruleset(3554): error: duplicated identifier "UACME_Akagi" ruleset(11808): error: duplicated identifier "mimikatz" ruleset(11820): error: duplicated identifier "mimikatz_lsass_mdmp" ruleset(11833): error: duplicated identifier "mimikatz_kirbi_ticket" ruleset(11849): error: duplicated identifier "wce" ruleset(11866): error: duplicated identifier "lsadump" ruleset(12289): error: duplicated identifier "whosthere_alt" ruleset(12310): error: duplicated identifier "iam_alt_iam_alt" ruleset(12328): error: duplicated identifier "genhash_genhash" ruleset(12344): error: duplicated identifier "iam_iamdll" ruleset(12364): error: duplicated identifier "iam_iam" ruleset(12382): error: duplicated identifier "whosthere_alt_pth" ruleset(12401): error: duplicated identifier "whosthere" ruleset(24281): error: undefined identifier "filename" ruleset(24289): error: undefined identifier "filename" ruleset(24299): error: undefined identifier "filename" ruleset(24315): error: duplicated identifier "Base64_encoded_Executable" ruleset(24994): error: undefined identifier "filename"
Where for example :
Best regards Michal Ambroz