Bug 11552 – [clamav-users] Strange problem with custom Yara rule

Bug 11552 - [clamav-users] Strange problem with custom Yara rule


Summary:	[clamav-users] Strange problem with custom Yara rule

Status:	RESOLVED FIXED

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	ALL
Hardware:	x86_64 GNU/Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Kevin Lin

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-04-13 12:56 EDT by Steven Morgan
Modified:	2016-04-13 13:32 EDT (History)
CC List:	0 users

See Also:
QA Contact:

Attachments
Patch (1.05 KB, patch) 2016-04-13 13:32 EDT, Kevin Lin	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steven Morgan 2016-04-13 12:56:32 EDT

kionez <kionez@gmail.com> reports:

#include <Steven Morgan.h>    // created 13/04/2016 16:37
> Hi,
>
> The first question is: Do you have pcre installed and was it found by
> ClamAV .\configure?

[cut]

Ops, I forgot to mention my system configuration.. sorry.

I'm using it on my antispam server with Debian Jessie (with clamav
0.99+dfsg-0+deb8u2 and libpcre3 8.35-3.3+deb8u4 ) and also testing on my
laptop with Arch linux (clamav 0.99.1-2 and pcre 8.38-3). I try to
recompile clamav on my laptop and it founds pcre in /usr, as expected.

I think that pcre works fine, because I can match patterns on email's
content, but not in email headers (i.e.: X-Mailer:, From: etc)

I try to explain with an example, on http://pastebin.com/gixrDAXq you
should find the 3 file used (a simple email and two custom ruleset)

using rules from Yara:

$ yara -s test_header.yara test.eml
Header_string test.eml
0x1f1:$match: pass
0x2a2:$match: pass
Header_Regex test.eml
0x1f1:$match: pass
0x2a2:$match: pass

$ yara -s test_body.yara test.eml
Body_string test.eml
0x440:$match: test mailing
Body_Regex test.eml
0x440:$match: test mailing

using rules from clamav:

$ clamscan --no-summary -d test_header.yara -z test.eml
test.eml: YARA.Header_string.UNOFFICIAL FOUND

$ clamscan --no-summary -d test_body.yara -z test.eml
test.eml: YARA.Body_string.UNOFFICIAL FOUND
test.eml: YARA.Body_Regex.UNOFFICIAL FOUND

I think that test_header.yara have to match the "pass" string in header
part with that simple regex. I'm trying to debug it but my code
knowledge is limited, it seems that every time a regex is used the
header part is not parsed by clamav (also if I use a "string" rule with
a "regex" rule, ie: $match_string and $match_regex)

Comment 1 Steven Morgan 2016-04-13 13:02:19 EDT

Sample:

--------------------------------------------------------------------------------------------------------------------
content of test.eml
--------------------------------------------------------------------------------------------------------------------
Delivered-To: kionez@gmail.com
Received: by 10.25.83.77 with SMTP id h74csp11258lfb;
        Wed, 13 Apr 2016 07:55:02 -0700 (PDT)
X-Received: by 10.194.58.195 with SMTP id t3mr9894255wjq.97.1460559302694;
        Wed, 13 Apr 2016 07:55:02 -0700 (PDT)
Return-Path: <HIDDEN@HIDDEN.DEV>
Received: from HIDDEN (HIDDEN. [1.2.3.4])
        by mx.google.com with ESMTP id p9si17935556wjf.86.2016.04.13.07.55.02
        for <kionez@gmail.com>;
        Wed, 13 Apr 2016 07:55:02 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of HIDDEN@HIDDEN.DEV designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of HIDDEN@HIDDEN.DEV designates 1.2.3.4 as permitted sender) smtp.mailfrom=HIDDEN@HIDDEN.DEV
Message-Id: <570e5dc6.e917c20a.9fe64.4f2eSMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 13 Apr 2016 16:55:03 +0200
To: kionez@gmail.com
From: HIDDEN@HIDDEN.DEV
Subject: test Wed, 13 Apr 2016 16:55:03 +0200
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 
This is a test mailing
 
--------------------------------------------------------------------------------------------------------------------
content of test_header.yara
--------------------------------------------------------------------------------------------------------------------
rule Header_string
{
    strings:
        $match = "pass"
    condition:
        $match
}
 
rule Header_Regex
{
    strings:
        $match = /pass/
    condition:
        $match
}
--------------------------------------------------------------------------------------------------------------------
content of test_body.yara
--------------------------------------------------------------------------------------------------------------------
rule Body_string
{
    strings:
        $match = "test mailing"
    condition:
        $match
}
 
rule Body_Regex
{
    strings:
        $match = /test mailing/
    condition:
        $match
}

    --------------------------------------------------------------------------------------------------------------------

Comment 2 Kevin Lin 2016-04-13 13:29:53 EDT

ClamAV, in order to optimize the AC algorithm execution, runs the filetype signatures alongside the malware detection signatures. ClamAV is set to immediately return after AC execution if a filetype signature detection occurs. This unfortunately causes the engine to skip PCRE signature execution.

The solution would be to force performing PCRE signature execution if the matcher is set to perform virus scanning. Skipping PCRE execution would only occur if a virus is detected and 'allmatch' is disabled or if the matcher_run is only for filetyping.

This solution has applied with commit clamav-0.99-beta1-443-g6565fe4 in the master branch on Wed Apr 13 13:16:24 2016 -0400.

A patch will be submitted shortly.

Comment 3 Kevin Lin 2016-04-13 13:32:04 EDT

Created attachment 7110 [details]
Patch

patch implementing soultion in Comment #2.

Comment 4 Kevin Lin 2016-04-13 13:32:24 EDT

Marking resolved fixed.