1. clamav-devel
  2. Commit fdd7f801944229843bc34a79fdb7a41f29671765
Browse code

exclude yara rules containing strings subject to ClamAV minimum length constraints.

Steven Morgan authored on 2014/12/11 20:58:29
Showing 1 changed files
libclamav/readdb.c
History View file @ fdd7f80
... ... 
@@ -2808,6 +2808,7 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
2808 2808 
     size_t nstrings, i, allstringsize, totsize;
2809 2809 
     char *rulestr, *ruledup;
2810 2810 
     unsigned int sigs;
2811 
+    uint8_t has_short_string;
2811 2812
2812 2813 
     if((rc = cli_initroots(engine, options)))
2813 2814 
         return rc;
... ... 
@@ -2875,6 +2876,7 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
2875 2875
2876 2876 
         strcat(rulestr, ");");
2877 2877
2878 
+        has_short_string = 0;
2878 2879 
         while (!STAILQ_EMPTY(&rule->strings)) {
2879 2880 
             string = STAILQ_FIRST(&rule->strings);
2880 2881 
             STAILQ_REMOVE(&rule->strings, string, _yc_string, link);
... ... 
@@ -2888,6 +2890,8 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
2888 2888 
                 cli_errmsg("Yara hex string: \"%s\"\n", substr);
2889 2889 
 #endif
2890 2890 
                 if (substr) {
2891 
+                    if (strlen(substr)/2 <= CLI_DEFAULT_AC_MINDEPTH)  //FIXME: Yara has no length minimum
2892 
+                        has_short_string = 1;
2891 2893 
                     snprintf(rulestr+len, totsize-len, "%s", substr);
2892 2894 
                     free(substr);
2893 2895 
                 }
... ... 
@@ -2898,6 +2902,8 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
2898 2898 
 #endif
2899 2899 
                 snprintf(rulestr+len, totsize-len, "%s/%s/", PCRE_BYPASS, string->string);
2900 2900 
             } else {
2901 
+                if (strlen(string->string) <= CLI_DEFAULT_AC_MINDEPTH) //FIXME: Yara has no length minimum
2902 
+                    has_short_string = 1;
2901 2903 
                 for (i=0; i < strlen(string->string); i++) {
2902 2904 
                     size_t len = strlen(rulestr);
2903 2905 
                     snprintf(rulestr+len, totsize-len, "%02x", string->string[i]);
... ... 
@@ -2929,16 +2935,21 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,
2929 2929
2930 2930 
         strcpy(ruledup, rulestr);
2931 2931
2932 
+        if (has_short_string == 0) {
2932 2933 
 #if 1
2933 
-        rc = load_oneldb(rulestr,
2934 
-             engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE)),
2935 
-             engine, options, rule->id, line++, &sigs, 0, ruledup, NULL);
2934 
+            rc = load_oneldb(rulestr,
2935 
+                 engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE)),
2936 
+                 engine, options, rule->id, line++, &sigs, 0, ruledup, NULL);
2936 2937 
 #endif
2937 2938
2939 
+        }
2940 
+        else {
2941 
+            cli_errmsg("cli_loadyara: has short strings, rule %s excluded\n", rulestr);
2942 
+        }
2938 2943 
         printf("totsize: %zu\treal size: %zu\n", totsize, strlen(ruledup));
2944 
+
2939 2945 
         free(rulestr);
2940 2946 
         free(ruledup);
2941 
-
2942 2947 
         free(rule->id);
2943 2948 
         free(rule);
2944 2949 
         if (rc != CL_SUCCESS)