Browse code
cleaned out excess yara messages
Kevin Lin authored on 2015/02/14 05:32:32Showing 1 changed files
| ... | ... |
@@ -3063,6 +3063,21 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3063 | 3063 |
(*sigs)--; |
| 3064 | 3064 |
return CL_SUCCESS; |
| 3065 | 3065 |
} |
| 3066 |
+#else |
|
| 3067 |
+ /* |
|
| 3068 |
+ cli_warnmsg("load_oneyara: yara support is incomplete, rule flags are ignored\n");
|
|
| 3069 |
+ |
|
| 3070 |
+ if (RULE_IS_PRIVATE(rule)) |
|
| 3071 |
+ cli_yaramsg("RULE_IS_PRIVATE yes\n");
|
|
| 3072 |
+ if (RULE_IS_GLOBAL(rule)) |
|
| 3073 |
+ cli_yaramsg("RULE_IS_GLOBAL yes\n");
|
|
| 3074 |
+ if (RULE_IS_NULL(rule)) |
|
| 3075 |
+ cli_yaramsg("RULE_IS_NULL yes\n");
|
|
| 3076 |
+ if ((rule->g_flags) & RULE_GFLAGS_REQUIRE_FILE) |
|
| 3077 |
+ cli_yaramsg("RULE_GFLAGS_REQUIRE_FILE yes\n");
|
|
| 3078 |
+ if ((rule->g_flags) & RULE_GFLAGS_REQUIRE_EXECUTABLE) |
|
| 3079 |
+ cli_yaramsg("RULE_GFLAGS_REQUIRE_EXECUTABLE yes\n");
|
|
| 3080 |
+ */ |
|
| 3066 | 3081 |
#endif |
| 3067 | 3082 |
|
| 3068 | 3083 |
if(engine->cb_sigload && engine->cb_sigload("yara", rule->id, ~options & CL_DB_OFFICIAL, engine->cb_sigload_ctx)) {
|
| ... | ... |
@@ -3085,6 +3100,9 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3085 | 3085 |
} else if (STRING_IS_LITERAL(string)) {
|
| 3086 | 3086 |
/* TODO - handle literal strings, short-circuits other string type handling */ |
| 3087 | 3087 |
cli_yaramsg("load_oneyara: literal string: [%s] => [%s]\n", string->string, substr);
|
| 3088 |
+#else |
|
| 3089 |
+ } else if (STRING_IS_LITERAL(string)) {
|
|
| 3090 |
+ cli_errmsg("load_oneyara: literal strings are unsupported, reorganize existing code\n");
|
|
| 3088 | 3091 |
#endif |
| 3089 | 3092 |
} else if (STRING_IS_HEX(string)) {
|
| 3090 | 3093 |
substr = parse_yara_hex_string(string, &ret); |
| ... | ... |
@@ -3094,7 +3112,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3094 | 3094 |
break; |
| 3095 | 3095 |
} |
| 3096 | 3096 |
|
| 3097 |
- if (strlen(substr)/2 <= CLI_DEFAULT_AC_MINDEPTH) {
|
|
| 3097 |
+ if (strlen(substr)/2 < CLI_DEFAULT_AC_MINDEPTH) {
|
|
| 3098 | 3098 |
cli_warnmsg("load_oneyara: string is too short %s\n", string->id);
|
| 3099 | 3099 |
str_error++; |
| 3100 | 3100 |
free(substr); |
| ... | ... |
@@ -3130,7 +3148,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3130 | 3130 |
size_t length = strlen(string->string); |
| 3131 | 3131 |
size_t totsize = 2*length+1; |
| 3132 | 3132 |
|
| 3133 |
- if (length <= CLI_DEFAULT_AC_MINDEPTH) {
|
|
| 3133 |
+ if (length < CLI_DEFAULT_AC_MINDEPTH) {
|
|
| 3134 | 3134 |
cli_warnmsg("load_oneyara: string is too short %s\n", string->id);
|
| 3135 | 3135 |
str_error++; |
| 3136 | 3136 |
continue; |
| ... | ... |
@@ -3160,7 +3178,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3160 | 3160 |
if (STRING_IS_NO_CASE(string)) {
|
| 3161 | 3161 |
cli_yaramsg("STRING_IS_NO_CASE %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
| 3162 | 3162 |
if ((ret = ytable_add_attrib(&ytable, NULL, "i", 1)) != CL_SUCCESS) {
|
| 3163 |
- cli_yaramsg("ytable_add_string: failed to add 'nocase' sigopt\n");
|
|
| 3163 |
+ cli_yaramsg("load_oneyara: failed to add 'nocase' sigopt\n");
|
|
| 3164 | 3164 |
str_error++; |
| 3165 | 3165 |
break; |
| 3166 | 3166 |
} |
| ... | ... |
@@ -3173,20 +3191,28 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3173 | 3173 |
/* support is not implemented, caught by cli_ac_addsig() */ |
| 3174 | 3174 |
/* might want to redefine the string here or something */ |
| 3175 | 3175 |
cli_yaramsg("STRING_IS_WIDE %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
| 3176 |
+#ifdef YARA_FINISHED |
|
| 3176 | 3177 |
if ((ret = ytable_add_attrib(&ytable, NULL, "w", 1)) != CL_SUCCESS) {
|
| 3177 |
- cli_yaramsg("ytable_add_string: failed to add 'wide' sigopt\n");
|
|
| 3178 |
+ cli_yaramsg("load_oneyara: failed to add 'wide' sigopt\n");
|
|
| 3178 | 3179 |
str_error++; |
| 3179 | 3180 |
break; |
| 3180 | 3181 |
} |
| 3182 |
+#else |
|
| 3183 |
+ cli_warnmsg("load_oneyara: yara support is incomplete, 'wide' keyword is unsupported\n");
|
|
| 3184 |
+#endif |
|
| 3181 | 3185 |
} |
| 3182 | 3186 |
if (STRING_IS_FULL_WORD(string)) {
|
| 3183 | 3187 |
/* support is not implemented, caught by cli_ac_addsig() */ |
| 3184 | 3188 |
cli_yaramsg("STRING_IS_FULL_WORD %s\n", STRING_IS_SINGLE_MATCH(string) ? "yes" : "no");
|
| 3189 |
+#ifdef YARA_FINISHED |
|
| 3185 | 3190 |
if ((ret = ytable_add_attrib(&ytable, NULL, "f", 1)) != CL_SUCCESS) {
|
| 3186 |
- cli_yaramsg("ytable_add_string: failed to add 'fullword' sigopt\n");
|
|
| 3191 |
+ cli_yaramsg("load_oneyara: failed to add 'fullword' sigopt\n");
|
|
| 3187 | 3192 |
str_error++; |
| 3188 | 3193 |
break; |
| 3189 | 3194 |
} |
| 3195 |
+#else |
|
| 3196 |
+ cli_warnmsg("load_oneyara: yara support is incomplete, 'fullword' keyword is unsupported\n");
|
|
| 3197 |
+#endif |
|
| 3190 | 3198 |
} |
| 3191 | 3199 |
|
| 3192 | 3200 |
#ifdef YARA_FINISHED |
| ... | ... |
@@ -3212,6 +3238,24 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3212 | 3212 |
str_error++; |
| 3213 | 3213 |
continue; |
| 3214 | 3214 |
} |
| 3215 |
+#else |
|
| 3216 |
+ /* |
|
| 3217 |
+ cli_warnmsg("load_oneyara: yara support is incomplete, rule flags are ignored\n");
|
|
| 3218 |
+ if (STRING_IS_ANONYMOUS(string)) |
|
| 3219 |
+ cli_yaramsg("STRING_IS_ANONYMOUS yes\n");
|
|
| 3220 |
+ if (STRING_IS_SINGLE_MATCH(string)) |
|
| 3221 |
+ cli_yaramsg("STRING_IS_SINGLE_MATCH yes\n");
|
|
| 3222 |
+ if (STRING_IS_REFERENCED(string)) |
|
| 3223 |
+ cli_yaramsg("STRING_IS_REFERENCED yes\n");
|
|
| 3224 |
+ if (STRING_IS_FAST_HEX_REGEXP(string)) |
|
| 3225 |
+ cli_yaramsg("STRING_IS_FAST_HEX_REGEXP yes\n");
|
|
| 3226 |
+ if (STRING_IS_CHAIN_PART(string)) |
|
| 3227 |
+ cli_yaramsg("STRING_IS_CHAIN_PART yes\n");
|
|
| 3228 |
+ if (STRING_IS_CHAIN_TAIL(string)) |
|
| 3229 |
+ cli_yaramsg("STRING_IS_CHAIN_TAIL yes\n");
|
|
| 3230 |
+ if (STRING_FITS_IN_ATOM(string)) |
|
| 3231 |
+ cli_yaramsg("STRING_FITS_IN_ATOM yes\n");
|
|
| 3232 |
+ */ |
|
| 3215 | 3233 |
#endif |
| 3216 | 3234 |
} |
| 3217 | 3235 |
|
| ... | ... |
@@ -3844,8 +3888,8 @@ int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, uns |
| 3844 | 3844 |
cli_yaramsg("$$$$$$$$$$$$ YARA $$$$$$$$$$$$\n");
|
| 3845 | 3845 |
cli_yaramsg("\tTotal Rules: %u\n", yara_total);
|
| 3846 | 3846 |
cli_yaramsg("\tRules Loaded: %u\n", yara_loaded);
|
| 3847 |
- cli_yaramsg("\tComplex conditions: %u\n", yara_complex);
|
|
| 3848 |
- cli_yaramsg("\tMalformed strings: %u\n", yara_malform);
|
|
| 3847 |
+ cli_yaramsg("\tComplex Conditions: %u\n", yara_complex);
|
|
| 3848 |
+ cli_yaramsg("\tMalformed/Unsupported Rules: %u\n", yara_malform);
|
|
| 3849 | 3849 |
cli_yaramsg("$$$$$$$$$$$$ YARA $$$$$$$$$$$$\n");
|
| 3850 | 3850 |
} |
| 3851 | 3851 |
#endif |