Skip to content
This repository has been archived by the owner on Jun 7, 2023. It is now read-only.

[QUESTION] Add manually new Yara rules? #545

Closed
Tux-Panik opened this issue May 2, 2017 · 2 comments
Closed

[QUESTION] Add manually new Yara rules? #545

Tux-Panik opened this issue May 2, 2017 · 2 comments

Comments

@Tux-Panik
Copy link

Hello,

I just wanted to add a lot of new rules, to test how it was possible to improve Yara scan capabilities.
To do it, I grabbed some public rules and I copy them to $viper_folder/data/yara/
Then I ran "yara scan -v" bu I reached exceptions.
I though Yara syntax was standardized, but perhaps I was wrong when I see the error output:

SyntaxError: $viper_folder/data/yara/apt_fancybear_dnc.yar(52): undefined identifier "filename"
...
SyntaxError: $viper_folder/data/yara/crime_kins_dropper.yar(27): duplicated identifier "KINS_DLL_zeus"
...
SyntaxError: $viper_folder/data/yara/thor-webshells.yar(5047): undefined identifier "filepath"

Concerned rules are from @Neo23x0: https://github.com/Neo23x0/signature-base/tree/50f14d7d1def5ee1032158af658a5c0b82fe50c9/yara

Find below a verbose output log:

viper 27114.js [not stored] > yara scan -v
[!] The command yara raised an exception:
Traceback (most recent call last):
File "$viper_folder/core/ui/console.py", line 240, in start
module.run()
File "$viper_folder/modules/yarascan.py", line 215, in run
self.scan()
File "$viper_folder/modules/yarascan.py", line 97, in scan
rules = yara.compile(arg_rule)
SyntaxError: $viper_folder/data/yara/apt_fancybear_dnc.yar(52): undefined identifier "filename"

viper 27114.js [not stored] > yara scan -v
[!] The command yara raised an exception:
Traceback (most recent call last):
File "$viper_folder/core/ui/console.py", line 240, in start
module.run()
File "$viper_folder/modules/yarascan.py", line 215, in run
self.scan()
File "$viper_folder/modules/yarascan.py", line 97, in scan
rules = yara.compile(arg_rule)
SyntaxError: $viper_folder/data/yara/crime_kins_dropper.yar(27): duplicated identifier "KINS_DLL_zeus"

viper 27114.js [not stored] > yara scan -v
[!] The command yara raised an exception:
Traceback (most recent call last):
File "$viper_folder/core/ui/console.py", line 240, in start
module.run()
File "$viper_folder/modules/yarascan.py", line 215, in run
self.scan()
File "$viper_folder/modules/yarascan.py", line 97, in scan
rules = yara.compile(arg_rule)
SyntaxError: $viper_folder/data/yara/thor-webshells.yar(5047): undefined identifier "filepath"

These errors are due:

  • to non-implementation in viper of Yara functions?
  • to non-standard identifiers implemented in Loki?

Thanks for your suggestions,
Regards,
@Neo23x0
Copy link

Neo23x0 commented May 2, 2017

I guess you'll have to exclude the rules that use external variables. The "filepath" e.g. makes no sense in a Viper malware collection. However "file_name" was introduced in YARA long after I started using "filename" in my rules. Depending on the version of YARA you use, you could rename the variable : filename > file_name
The KINS_DLL_zeus rule is a duplicate.

@Tux-Panik
Copy link
Author

Thanks for answer.
Yara 3.2.0 is installed and not sure this version manage "file_name" variable.

I modified your "gen_thumbs_cloaking.yar" but I reached the same error:

SyntaxError: $viper_folder/data/yara/gen_thumbs_cloaking.yar(9): undefined identifier "file_name"

I suppose is an too older Yara version (3.5.0?) and a variable issue, as you explain.
I will update my Yara version and try again before to close topic.
Regards,

@Tux-Panik Tux-Panik mentioned this issue Oct 17, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neo23x0 @Tux-Panik