Closed kaustavbhattacharjee closed 5 years ago
Karneades
commented
5 years ago Hi, I think you don't need the \n. Just use the following or copy&paste your rule directly into the input field in the UI:
rule xy {strings: $s1="GRR" condition:all of them}
kaustavbhattacharjee
commented
5 years ago Thanks. It worked
But whenever I am using the following signature:
import "hash" rule xy {condition: hash.md5(0, filesize)=="9886aaauauauiohhjjgkkghj"}
( The hash is for representational purpose only)
It runs but then throws up an error : No field called "md5" Why am I facing this?
grrrrrrrrr
commented
5 years ago We don't officially support loading additional Yara libraries in GRR, we haven't looked into how this works, there might be issues in the pyinstaller environment the GRR client runs it.
It looks like you are trying to match the hash of the file against a known hash. This is an idea we are not too fond of - see http://grr-response.blogspot.com/2015/05/hashing-maslows-hammer-of-forensics.html - so I'd recommend against trying this in general. But please also be aware that your Yara rule will be used against the memory of the process, not the file on disk. If you just want to hash the file, GRR can do that without resorting to Yara, a FileFinder with the Hash action will give you what you want.
Hi I was trying to find some processes using Yara signatures. In order to do that, I carried out a test to find the GRR process with the following string:
rule xy\n{\nstrings:\n$s1="GRR"\ncondition:\nall of them\n}\nBut this throwed an error:
SyntaxError: line 1: syntax error, unexpected \'\\\\\', expecting \'{\'\n'Kindly help.