Coder Social home page Coder Social logo

unstable rules about go-yara HOT 5 CLOSED

RRancio avatar RRancio commented on May 23, 2024
unstable rules

from go-yara.

Comments (5)

hillu avatar hillu commented on May 23, 2024

I can't tell you how you are using yara.exe wrong (or how it may be broken), but one thing that comes to mind is that you need to quote your paths that contain strings.

Does running yara --help output anything?

from go-yara.

RRancio avatar RRancio commented on May 23, 2024

After some time i figured that maybe it is a code issue, i tested using: https://github.com/EvilAres/saferwall/blob/edec505dab55a2a1e0c0cf24b436194835510f0f/cmd/yara/main.go#L8

and it seems working fine whitout unstable flags, ill return here if i solve it by my own

but yeah, the command is working fine, every yara module is working fine, is just the scanfile that doesn't follow rules conditions and flags every possible file.

Microsoft Windows [Versión 10.0.17763.1]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.

C:\Users\Rancio>yara --help
YARA 4.3.2, the pattern matching swiss army knife.
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Mandatory arguments to long options are mandatory for short options too.

       --atom-quality-table=FILE           path to a file with the atom quality table
  -C,  --compiled-rules                    load compiled rules
  -c,  --count                             print only number of matches
  -d,  --define=VAR=VALUE                  define external variable
       --fail-on-warnings                  fail on warnings
  -f,  --fast-scan                         fast matching mode
  -h,  --help                              show this help and exit
  -i,  --identifier=IDENTIFIER             print only rules named IDENTIFIER
       --max-process-memory-chunk=NUMBER   set maximum chunk size while reading process memory (default=1073741824)
  -l,  --max-rules=NUMBER                  abort scanning after matching a NUMBER of rules
       --max-strings-per-rule=NUMBER       set maximum number of strings per rule (default=10000)
  -x,  --module-data=MODULE=FILE           pass FILE's content as extra data to MODULE
  -n,  --negate                            print only not satisfied rules (negate)
  -N,  --no-follow-symlinks                do not follow symlinks when scanning
  -w,  --no-warnings                       disable warnings
  -m,  --print-meta                        print metadata
  -D,  --print-module-data                 print module data
  -M,  --module-names                      show module names
  -e,  --print-namespace                   print rules' namespace
  -S,  --print-stats                       print rules' statistics
  -s,  --print-strings                     print matching strings
  -L,  --print-string-length               print length of matched strings
  -X,  --print-xor-key                     print xor key and plaintext of matched strings
  -g,  --print-tags                        print tags
  -r,  --recursive                         recursively search directories
       --scan-list                         scan files listed in FILE, one per line
  -z,  --skip-larger=NUMBER                skip files larger than the given size when scanning a directory
  -k,  --stack-size=SLOTS                  set maximum stack size (default=16384)
  -t,  --tag=TAG                           print only rules tagged as TAG
  -p,  --threads=NUMBER                    use the specified NUMBER of threads to scan a directory
  -a,  --timeout=SECONDS                   abort scanning after the given number of SECONDS
  -v,  --version                           show version information

Send bug reports and suggestions to: [email protected].

C:\Users\Rancio>

from go-yara.

hillu avatar hillu commented on May 23, 2024

It seems to me that you are re-using your MatchRules object without resetting it between scans. Matching results just get appended to it.

Please also have a look at the simple-yara example and the tests.

from go-yara.

RRancio avatar RRancio commented on May 23, 2024

Hey, after some minutes i fixed the issue, this is the final code:

set rule and scan:

package API

import (
	"strings"

	yara "github.com/hillu/go-yara/v4"
)

func NewFromReader(ruleReader *strings.Reader) (*yara.Scanner, error) {
	r, err := LoadRuleFromReader(ruleReader)
	if err != nil {
		return nil, err
	}

	s, err := yara.NewScanner(r)
	if err != nil {
		return nil, err
	}

	return s, nil
}

func LoadRuleFromReader(reader *strings.Reader) (*yara.Rules, error) {
	rules, err := yara.ReadRules(reader)
	if err != nil {
		return nil, err
	}
	return rules, nil
}

func ScanFile(scanner *yara.Scanner, filePath string) ([]yara.MatchRule, error) {
	var matches yara.MatchRules
	err := scanner.SetCallback(&matches).ScanFile(filePath)
	return matches, err
}

func ScanProc(scanner *yara.Scanner, pid int) ([]yara.MatchRule, error) {
	var matches yara.MatchRules
	err := scanner.SetCallback(&matches).ScanProc(pid)
	return matches, err
}

file for scan:

sc, err := yara.NewCompiler()
	if sc == nil || err != nil {
		fmt.Println(err)
		return
	}

	detections := req.A(req.GENERICCRIPT)

	reader := strings.NewReader(string(detections))

	scanner, err := API.NewFromReader(reader)
	if err != nil {
		fmt.Println(err)
		return
	}

	for _, filename := range result {
		filenameLower := strings.ToLower(filename)
		if !strings.Contains(filenameLower, "temp") {
			fileInfo, err := os.Stat(filename)
			if err != nil {
				continue
			}

			if fileInfo.Size() > 20*1024*1024 {
				continue
			}

			matches, err := API.ScanFile(scanner, filenameLower)
			if err != nil {
				fmt.Println(err)
				continue
			}

			if len(matches) > 0 {
				for _, match := range matches {
					rule := strings.Replace(match.Rule, "_", " ", -1)
					fmt.Println(rule, filenameLower)
					other.SuspiciousAdd(fmt.Sprintf("%s:::Generic %s", filename, rule))
				}
			}
		}
	}

now i have a question, where should i add the yara.ScanFlagsFastMode?, on the another code i was using it on the same "ScanFile" function, but using callback seems quite different

from go-yara.

hillu avatar hillu commented on May 23, 2024

The Scanner object has a SetFlags method.

Otherwise, you can still use the Rules object directly, just make sure that your match objects are reset.

from go-yara.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.