...
|
...
|
@@ -3063,6 +3063,21 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3063
|
3063
|
(*sigs)--;
|
3064
|
3064
|
return CL_SUCCESS;
|
3065
|
3065
|
}
|
|
3066
|
+#else
|
|
3067
|
+ /*
|
|
3068
|
+ cli_warnmsg("load_oneyara: yara support is incomplete, rule flags are ignored\n");
|
|
3069
|
+
|
|
3070
|
+ if (RULE_IS_PRIVATE(rule))
|
|
3071
|
+ cli_yaramsg("RULE_IS_PRIVATE yes\n");
|
|
3072
|
+ if (RULE_IS_GLOBAL(rule))
|
|
3073
|
+ cli_yaramsg("RULE_IS_GLOBAL yes\n");
|
|
3074
|
+ if (RULE_IS_NULL(rule))
|
|
3075
|
+ cli_yaramsg("RULE_IS_NULL yes\n");
|
|
3076
|
+ if ((rule->g_flags) & RULE_GFLAGS_REQUIRE_FILE)
|
|
3077
|
+ cli_yaramsg("RULE_GFLAGS_REQUIRE_FILE yes\n");
|
|
3078
|
+ if ((rule->g_flags) & RULE_GFLAGS_REQUIRE_EXECUTABLE)
|
|
3079
|
+ cli_yaramsg("RULE_GFLAGS_REQUIRE_EXECUTABLE yes\n");
|
|
3080
|
+ */
|
3066
|
3081
|
#endif
|
3067
|
3082
|
|
3068
|
3083
|
if(engine->cb_sigload && engine->cb_sigload("yara", rule->id, ~options & CL_DB_OFFICIAL, engine->cb_sigload_ctx)) {
|
...
|
...
|
@@ -3085,6 +3100,9 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3085
|
3085
|
} else if (STRING_IS_LITERAL(string)) {
|
3086
|
3086
|
/* TODO - handle literal strings, short-circuits other string type handling */
|
3087
|
3087
|
cli_yaramsg("load_oneyara: literal string: [%s] => [%s]\n", string->string, substr);
|
|
3088
|
+#else
|
|
3089
|
+ } else if (STRING_IS_LITERAL(string)) {
|
|
3090
|
+ cli_errmsg("load_oneyara: literal strings are unsupported, reorganize existing code\n");
|
3088
|
3091
|
#endif
|
3089
|
3092
|
} else if (STRING_IS_HEX(string)) {
|
3090
|
3093
|
substr = parse_yara_hex_string(string, &ret);
|
...
|
...
|
@@ -3094,7 +3112,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3094
|
3094
|
break;
|
3095
|
3095
|
}
|
3096
|
3096
|
|
3097
|
|
- if (strlen(substr)/2 <= CLI_DEFAULT_AC_MINDEPTH) {
|
|
3097
|
+ if (strlen(substr)/2 < CLI_DEFAULT_AC_MINDEPTH) {
|
3098
|
3098
|
cli_warnmsg("load_oneyara: string is too short %s\n", string->id);
|
3099
|
3099
|
str_error++;
|
3100
|
3100
|
free(substr);
|
...
|
...
|
@@ -3130,7 +3148,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3130
|
3130
|
size_t length = strlen(string->string);
|
3131
|
3131
|
size_t totsize = 2*length+1;
|
3132
|
3132
|
|
3133
|
|
- if (length <= CLI_DEFAULT_AC_MINDEPTH) {
|
|
3133
|
+ if (length < CLI_DEFAULT_AC_MINDEPTH) {
|
3134
|
3134
|
cli_warnmsg("load_oneyara: string is too short %s\n", string->id);
|
3135
|
3135
|
str_error++;
|
3136
|
3136
|
continue;
|
...
|
...
|
@@ -3160,7 +3178,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3160
|
3160
|
if (STRING_IS_NO_CASE(string)) {
|
3161
|
3161
|
cli_yaramsg("STRING_IS_NO_CASE %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
3162
|
3162
|
if ((ret = ytable_add_attrib(&ytable, NULL, "i", 1)) != CL_SUCCESS) {
|
3163
|
|
- cli_yaramsg("ytable_add_string: failed to add 'nocase' sigopt\n");
|
|
3163
|
+ cli_yaramsg("load_oneyara: failed to add 'nocase' sigopt\n");
|
3164
|
3164
|
str_error++;
|
3165
|
3165
|
break;
|
3166
|
3166
|
}
|
...
|
...
|
@@ -3173,20 +3191,28 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3173
|
3173
|
/* support is not implemented, caught by cli_ac_addsig() */
|
3174
|
3174
|
/* might want to redefine the string here or something */
|
3175
|
3175
|
cli_yaramsg("STRING_IS_WIDE %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
|
3176
|
+#ifdef YARA_FINISHED
|
3176
|
3177
|
if ((ret = ytable_add_attrib(&ytable, NULL, "w", 1)) != CL_SUCCESS) {
|
3177
|
|
- cli_yaramsg("ytable_add_string: failed to add 'wide' sigopt\n");
|
|
3178
|
+ cli_yaramsg("load_oneyara: failed to add 'wide' sigopt\n");
|
3178
|
3179
|
str_error++;
|
3179
|
3180
|
break;
|
3180
|
3181
|
}
|
|
3182
|
+#else
|
|
3183
|
+ cli_warnmsg("load_oneyara: yara support is incomplete, 'wide' keyword is unsupported\n");
|
|
3184
|
+#endif
|
3181
|
3185
|
}
|
3182
|
3186
|
if (STRING_IS_FULL_WORD(string)) {
|
3183
|
3187
|
/* support is not implemented, caught by cli_ac_addsig() */
|
3184
|
3188
|
cli_yaramsg("STRING_IS_FULL_WORD %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
|
3189
|
+#ifdef YARA_FINISHED
|
3185
|
3190
|
if ((ret = ytable_add_attrib(&ytable, NULL, "f", 1)) != CL_SUCCESS) {
|
3186
|
|
- cli_yaramsg("ytable_add_string: failed to add 'fullword' sigopt\n");
|
|
3191
|
+ cli_yaramsg("load_oneyara: failed to add 'fullword' sigopt\n");
|
3187
|
3192
|
str_error++;
|
3188
|
3193
|
break;
|
3189
|
3194
|
}
|
|
3195
|
+#else
|
|
3196
|
+ cli_warnmsg("load_oneyara: yara support is incomplete, 'fullword' keyword is unsupported\n");
|
|
3197
|
+#endif
|
3190
|
3198
|
}
|
3191
|
3199
|
|
3192
|
3200
|
#ifdef YARA_FINISHED
|
...
|
...
|
@@ -3212,6 +3238,24 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3212
|
3212
|
str_error++;
|
3213
|
3213
|
continue;
|
3214
|
3214
|
}
|
|
3215
|
+#else
|
|
3216
|
+ /*
|
|
3217
|
+ cli_warnmsg("load_oneyara: yara support is incomplete, rule flags are ignored\n");
|
|
3218
|
+ if (STRING_IS_ANONYMOUS(string))
|
|
3219
|
+ cli_yaramsg("STRING_IS_ANONYMOUS yes\n");
|
|
3220
|
+ if (STRING_IS_SINGLE_MATCH(string))
|
|
3221
|
+ cli_yaramsg("STRING_IS_SINGLE_MATCH yes\n");
|
|
3222
|
+ if (STRING_IS_REFERENCED(string))
|
|
3223
|
+ cli_yaramsg("STRING_IS_REFERENCED yes\n");
|
|
3224
|
+ if (STRING_IS_FAST_HEX_REGEXP(string))
|
|
3225
|
+ cli_yaramsg("STRING_IS_FAST_HEX_REGEXP yes\n");
|
|
3226
|
+ if (STRING_IS_CHAIN_PART(string))
|
|
3227
|
+ cli_yaramsg("STRING_IS_CHAIN_PART yes\n");
|
|
3228
|
+ if (STRING_IS_CHAIN_TAIL(string))
|
|
3229
|
+ cli_yaramsg("STRING_IS_CHAIN_TAIL yes\n");
|
|
3230
|
+ if (STRING_FITS_IN_ATOM(string))
|
|
3231
|
+ cli_yaramsg("STRING_FITS_IN_ATOM yes\n");
|
|
3232
|
+ */
|
3215
|
3233
|
#endif
|
3216
|
3234
|
}
|
3217
|
3235
|
|
...
|
...
|
@@ -3844,8 +3888,8 @@ int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, uns
|
3844
|
3844
|
cli_yaramsg("$$$$$$$$$$$$ YARA $$$$$$$$$$$$\n");
|
3845
|
3845
|
cli_yaramsg("\tTotal Rules: %u\n", yara_total);
|
3846
|
3846
|
cli_yaramsg("\tRules Loaded: %u\n", yara_loaded);
|
3847
|
|
- cli_yaramsg("\tComplex conditions: %u\n", yara_complex);
|
3848
|
|
- cli_yaramsg("\tMalformed strings: %u\n", yara_malform);
|
|
3847
|
+ cli_yaramsg("\tComplex Conditions: %u\n", yara_complex);
|
|
3848
|
+ cli_yaramsg("\tMalformed/Unsupported Rules: %u\n", yara_malform);
|
3849
|
3849
|
cli_yaramsg("$$$$$$$$$$$$ YARA $$$$$$$$$$$$\n");
|
3850
|
3850
|
}
|
3851
|
3851
|
#endif
|