Not supported "uint32be" condition in yara rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The internal library on LibClamAV related to yara rules seems to be non-updated to the current one.
I use some rules with a uint32be condition which it doesn't supports:
LibClamAV Error: yyerror(): /var/lib/
LibClamAV Warning: cli_loadyara: failed to parse or load 4 yara rules from file /var/lib/
Looking at the yara documentation this identifier should be supported:
https:/
1)
Description: Ubuntu 20.04 LTS
Release: 20.04
2)
libclamav9:
Instalados: 0.102.3+
Candidato: 0.102.3+
Tabla de versión:
*** 0.102.3+
500 http://
500 http://
100 /var/lib/
0.
500 http://
3) ClamAV should load correctly the yara rule
4) Rule not loaded due to reported error.
CVE References
Changed in clamav (Ubuntu): | |
status: | Expired → New |
Hello and thanks for taking the time to report this bug. In order to drive this forward we some more things from your side:
0. Can you please double check your yara_2.yar is valid? The error your report is:
undefined identifier "uint32be"
but the documentation you linked says "The following keywords are reserved and cannot be used as an identifier:" and follows listing "uint32be" as one of these keywords. This makes me suspect your yara file has syntax issues.
1. Is this a regression, or is this the first time you try to setup ClamAV with yara rules? In other words: did you upgrade an existing, working Ubuntu system to 20.04 and hit the issue, or did you hit it while setting up a system up from scratch?
2. Can you share your yara_2.yar file and outline how you setup ClamAV for using it? Ideally we need the minimal set of steps to setup a system which will hit the problem you described.
I'm marking this report as Incomplete for the moment. Please change its status back to New after commenting back and we'll look at it again. Thanks!