sec51 / clamav-yara Goto Github PK
View Code? Open in Web Editor NEWConverts the Clamav Virus Database definitions to YARA rules [GOLANG]
License: ISC License
Converts the Clamav Virus Database definitions to YARA rules [GOLANG]
License: ISC License
At the moment we are parsing only NDB signatures.
Add:
Both signatures are for file only. Basically they can detect static malware only.
The format is the following:
HashString:FileSize:MalwareName
The difference between the two is that HDB uses md5
whereas HSB uses sha1
and sha256
we need to distinguish based on the length of the hash.
In YARA we need to use the hash
plugin and do something like this:
condition:
hash.md5(0, filesize) == "md5_hash_obtained_from_clamav_signatures"
The rule names are generated from ClamAV malware name.
In ClamAV definitions the same name appears multiple times.
We need to add an additional identifier to the Malware name.
This is visible when generating the rules from the main.cvd
2018/02/19 12:00:16 Downloading main definitions from https://sec51.com/definitions/main.cvd ...
2018/02/19 12:00:16 Download completed, proceeding with parsing.
2018/02/19 12:01:02 main.cvd parsing completed.
=========================
2018/02/19 12:01:02 Downloading daily definitions from https://sec51.com/definitions/daily.cvd ...
2018/02/19 12:01:02 Download completed, proceeding with parsing.
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
main.extractFiles(0xc4201b2400, 0xb2, 0x200, 0x1, 0x0, 0x0, 0x0)
/home/corey/git/clamav-yara/definitions.go:296 +0xb61
main.(*DefinitionsManager).DownloadDefinitions(0xc42005c480, 0xc42000e001, 0x0, 0x0)
/home/corey/git/clamav-yara/definitions.go:237 +0x48b
main.downloadDefinitions(0xc42005c480)
/home/corey/git/clamav-yara/main.go:34 +0x98
main.main()
/home/corey/git/clamav-yara/main.go:19 +0x8e
https://sec51.com/definitions/main.cvd certificate expired on January 2017, thus clamav-yara can't proceed
Hello.
After parsing I have rules.
But I can't use them:
yara main_linux.yara /bin/ls
yara main_windows.yara prog.exe
I have error described below:
main_windows.yara(464362): warning: $signature in rule Win_Trojan_Lineage_85 is slowing down scanning
main_windows.yara(468844): warning: $signature in rule Win_Exploit_CVE_2006_4182_1 is slowing down scanning
main_windows.yara(804367): error: regular expression is too complex
main_windows.yara(804385): error: regular expression is too complex
main_windows.yara(821872): warning: $signature in rule Win_Trojan_SwizzorA_1 is slowing down scanning
main_windows.yara(821881): warning: $signature in rule Win_Trojan_Swizzor_607 is slowing down scanning
main_windows.yara(870184): warning: $signature in rule Win_Adware_Multiplug_3 is slowing down scanning
main_windows.yara(881315): error: invalid field name "virtual_address"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.