Manalyze icon indicating copy to clipboard operation
Manalyze copied to clipboard
verified publisher icon JusticeRage

Could not compile yara rules

Open veeshi opened this issue 5 years ago • 3 comments

Ran the clamav update script but when running manalyze it does not compile the yara rules due to syntax errors

[!] Error: [Yara compiler] yara_rules/clamav.yara(972693) : syntax error, unexpected '{', expecting text string
[!] Error: [Yara compiler] yara_rules/clamav.yara(1003499) : syntax error, unexpected string identifier, expecting '}'
[!] Error: Could not compile yara rules (2 error(s)).
[!] Error: ClamAV rules haven't been generated yet!
[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.

I have run yara_rules/update_clamav_signatures.py however it seems to skip a lot of rules due to them being malformed.

veeshi avatar Jun 09 '20 10:06 veeshi

These are the 2 rules it fails on

Syntax Error 1

Exact line:

$a3 = { 0|(1&2)/6#?87474703A2F2F(3[0-9])[1,3]2E(3[0-9])[1,3]2E(3[0-9])[1,3]2E(3[0-9])[1,3]2F(3[0-9]|[46][1-9A-F]|[57][0-9]|5A|7A|5F|2F|2D)+2E706870/ }

In rule:

rule D_Win_dot_Trojan_dot_Zebrocy_dash_6743852_dash_2
{
    meta:
        signature = "Win.Trojan.Zebrocy-6743852-2"
    strings:
                $a0 = { 36333644363432453635373836353230324636333230 }
                $a1 = { 3533353434353444343934 [0-1] 4534363446 }
                $a2 = { 35343431353334423443343935333534 }
                $a3 = { 0|(1&2)/6#?87474703A2F2F(3[0-9])[1,3]2E(3[0-9])[1,3]2E(3[0-9])[1,3]2E(3[0-9])[1,3]2F(3[0-9]|[46][1-9A-F]|[57][0-9]|5A|7A|5F|2F|2D)+2E706870/ }
    condition:
                $a3
}

Syntax Error 2

Exact line:

$a0$a0 and ((($a1 and #a1 > 20) and ($a2 and #a2 > 10) and $a3) or ($a4))

In rule:

rule D_Win_dot_Trojan_dot_Agent_dash_6825810_dash_0_dash_6852456_dash_0
{
    meta:
        signature = "Win.Trojan.Agent-6825810-0-6852456-0"
    strings:
                $a0 = { 234e6f5472617949636f6e }
                $a1 = { 43415345203078303030 }
                $a2 = { 474c4f42414c20434f4e53542024 }
                $a3 = { 205b2030783030303030303034205d205b2030783030303030303033205d203d205b205b2022 }
                $a4 = { 627978786964796c676672717270736d6b6f696f6a77766c706d616f6b70 }
    condition:
                $a0$a0 and ((($a1 and #a1 > 20) and ($a2 and #a2 > 10) and $a3) or ($a4))
}

veeshi avatar Jun 09 '20 10:06 veeshi

Commenting out both the above rules allows the rest of the rules to compile sucessfully

veeshi avatar Jun 09 '20 10:06 veeshi

Ah, yes, this really is a part of the program that keeps breaking as ClamAV adds more rules. Thanks, I'll look into it!

JusticeRage avatar Jun 15 '20 13:06 JusticeRage