clamav-yara icon indicating copy to clipboard operation
clamav-yara copied to clipboard

Published 20 hours ago verified publisher icon sec51

Parsing error - slice bounds out of range

Open CoreyD97 opened this issue 7 years ago • 7 comments 

2018/02/19 12:00:16 Downloading main definitions from https://sec51.com/definitions/main.cvd ...
2018/02/19 12:00:16 Download completed, proceeding with parsing.
2018/02/19 12:01:02 main.cvd parsing completed.
=========================
2018/02/19 12:01:02 Downloading daily definitions from https://sec51.com/definitions/daily.cvd ...
2018/02/19 12:01:02 Download completed, proceeding with parsing.
panic: runtime error: slice bounds out of range

goroutine 1 [running]:
main.extractFiles(0xc4201b2400, 0xb2, 0x200, 0x1, 0x0, 0x0, 0x0)
	/home/corey/git/clamav-yara/definitions.go:296 +0xb61
main.(*DefinitionsManager).DownloadDefinitions(0xc42005c480, 0xc42000e001, 0x0, 0x0)
	/home/corey/git/clamav-yara/definitions.go:237 +0x48b
main.downloadDefinitions(0xc42005c480)
	/home/corey/git/clamav-yara/main.go:34 +0x98
main.main()
	/home/corey/git/clamav-yara/main.go:19 +0x8e

CoreyD97 avatar Feb 19 '18 12:02 CoreyD97

I'm seeing similar behavior on Ubuntu 18.04. I saw this error when testing the build:

root@osquery:~/clamav-yara# go test -v

_/home/cmerchant/clamav-yara

./definitions_test.go:41: Errorf format %s has arg def.Level of wrong type int ./definitions_test.go:45: Errorf format %s has arg def.TotalSignatures of wrong type int64 ./definitions_test.go:49: Errorf format %s has arg def.Version of wrong type int FAIL _/home/cmerchant/clamav-yara [build failed]

craig-merchant avatar Jul 22 '19 22:07 craig-merchant

I am seeing the same errors on CentOS 7.6.

[root@localhost clamav-yara]# go test -v
# _/root/clamav-yara
./definitions_test.go:41:3: Errorf format %s has arg def.Level of wrong type int
./definitions_test.go:45:3: Errorf format %s has arg def.TotalSignatures of wrong type int64
./definitions_test.go:49:3: Errorf format %s has arg def.Version of wrong type int
FAIL    _/root/clamav-yara [build failed]
[root@localhost clamav-yara]# ./clamav-yara
2020/03/09 01:32:16 Downloading main definitions from https://sec51.com/definitions/main.cvd ...
2020/03/09 01:32:17 Download completed, proceeding with parsing.
panic: runtime error: slice bounds out of range [512:162]

goroutine 1 [running]:
main.extractFiles(0xc000184600, 0xa2, 0x200, 0x0, 0x0, 0x200, 0x0)
        /root/clamav-yara/definitions.go:296 +0xb0e
main.(*DefinitionsManager).DownloadDefinitions(0xc000062600, 0x0, 0x0, 0x0)
        /root/clamav-yara/definitions.go:237 +0x42d
main.downloadDefinitions(0xc000062600)
        /root/clamav-yara/main.go:30 +0x34
main.main()
        /root/clamav-yara/main.go:19 +0x84

hapablanha avatar Mar 09 '20 05:03 hapablanha

Is this caused by newer go version? I can't find old go version like 1.5.

[root@localhost clamav-yara]# go version
go version go1.14 linux/amd64

hapablanha avatar Mar 09 '20 06:03 hapablanha

Appears to run into problem here...

definitions.go

// Extract the file tar.gz
func extractFiles(data []byte, fileType definitionType) (map[definitionExtensionType]definitionFile, error) {

	files := make(map[definitionExtensionType]definitionFile)

	// extract the data only and cut the header off
	tarGzip := data[512:]

hapablanha avatar Mar 09 '20 08:03 hapablanha

+1

s0i37 avatar Feb 02 '21 12:02 s0i37

The solve:

wget http://database.clamav.net/main.cvd
wget https://raw.githubusercontent.com/mattulm/volgui/master/tools/clamav_to_yara.py
sigtool -u main.cvd
./clamav_to_yara.py -f main.ndb -o clamav.yara

s0i37 avatar Feb 02 '21 15:02 s0i37

The issue is that the default URL used to download the ClavAV database was set to a HTTPS URL that is now down.

See #6 that's reversing to the ClamAV default HTTP URL.

AnomalRoil avatar Feb 22 '21 09:02 AnomalRoil