Browse code
bb11343: Adding yara-rules (yes|no|only) runtime option for clamscan.
Mickey Sola authored on 2015/07/24 04:36:16Showing 4 changed files
| ... | ... |
@@ -624,6 +624,17 @@ int scanmanager(const struct optstruct *opts) |
| 624 | 624 |
return 2; |
| 625 | 625 |
} |
| 626 | 626 |
|
| 627 |
+ if(optget(opts, "yara-rules")->enabled) {
|
|
| 628 |
+ char *p = optget(opts, "yara-rules")->strarg; |
|
| 629 |
+ if(strcmp(p, "yes")) {
|
|
| 630 |
+ if(!strcmp(p, "only")) |
|
| 631 |
+ dboptions |= CL_DB_YARA_ONLY; |
|
| 632 |
+ else if (!strcmp(p, "no")) |
|
| 633 |
+ dboptions |= CL_DB_YARA_EXCLUDE; |
|
| 634 |
+ } |
|
| 635 |
+ |
|
| 636 |
+ } |
|
| 637 |
+ |
|
| 627 | 638 |
if(optget(opts, "phishing-sigs")->enabled) |
| 628 | 639 |
dboptions |= CL_DB_PHISHING; |
| 629 | 640 |
|
| ... | ... |
@@ -135,6 +135,8 @@ typedef enum {
|
| 135 | 135 |
#define CL_DB_BYTECODE_STATS 0x20000 |
| 136 | 136 |
#define CL_DB_ENHANCED 0x40000 |
| 137 | 137 |
#define CL_DB_PCRE_STATS 0x80000 |
| 138 |
+#define CL_DB_YARA_EXCLUDE 0x100000 |
|
| 139 |
+#define CL_DB_YARA_ONLY 0x200000 |
|
| 138 | 140 |
|
| 139 | 141 |
/* recommended db settings */ |
| 140 | 142 |
#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE) |
| ... | ... |
@@ -4262,6 +4262,14 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
| 4262 | 4262 |
else |
| 4263 | 4263 |
dbname = filename; |
| 4264 | 4264 |
|
| 4265 |
+#ifdef HAVE_YARA |
|
| 4266 |
+ if(options & CL_DB_YARA_ONLY) {
|
|
| 4267 |
+ if(cli_strbcasestr(dbname, ".yar") || cli_strbcasestr(dbname, ".yara")) |
|
| 4268 |
+ ret = cli_loadyara(fs, engine, signo, options, dbio, filename); |
|
| 4269 |
+ else |
|
| 4270 |
+ skipped = 1; |
|
| 4271 |
+ } else |
|
| 4272 |
+#endif |
|
| 4265 | 4273 |
if(cli_strbcasestr(dbname, ".db")) {
|
| 4266 | 4274 |
ret = cli_loaddb(fs, engine, signo, options, dbio, dbname); |
| 4267 | 4275 |
|
| ... | ... |
@@ -4360,7 +4368,10 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
| 4360 | 4360 |
ret = cli_loadopenioc(fs, dbname, engine, options); |
| 4361 | 4361 |
#ifdef HAVE_YARA |
| 4362 | 4362 |
} else if(cli_strbcasestr(dbname, ".yar") || cli_strbcasestr(dbname, ".yara")) {
|
| 4363 |
- ret = cli_loadyara(fs, engine, signo, options, dbio, filename); |
|
| 4363 |
+ if(!(options & CL_DB_YARA_EXCLUDE)) |
|
| 4364 |
+ ret = cli_loadyara(fs, engine, signo, options, dbio, filename); |
|
| 4365 |
+ else |
|
| 4366 |
+ skipped = 1; |
|
| 4364 | 4367 |
#endif |
| 4365 | 4368 |
} else if(cli_strbcasestr(dbname, ".pwdb")) {
|
| 4366 | 4369 |
ret = cli_loadpwdb(fs, engine, options, 0, dbio); |
| ... | ... |
@@ -218,6 +218,8 @@ const struct clam_option __clam_options[] = {
|
| 218 | 218 |
|
| 219 | 219 |
{ "OfficialDatabaseOnly", "official-db-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Only load the official signatures published by the ClamAV project.", "no" },
|
| 220 | 220 |
|
| 221 |
+ { "YaraRules", "yara-rules", 0, CLOPT_TYPE_STRING, NULL, 0, NULL, 0, OPT_CLAMSCAN, "By default, yara rules will be loaded. This option allows you to exclude yara rules when scanning and also to scan only using yara rules. Valid options are yes|no|only", "yes"},
|
|
| 222 |
+ |
|
| 221 | 223 |
{ "LocalSocket", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Path to a local socket file the daemon will listen on.", "/tmp/clamd.socket" },
|
| 222 | 224 |
|
| 223 | 225 |
{ "LocalSocketGroup", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Sets the group ownership on the unix socket.", "virusgroup" },
|