Found it!
https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/
see "rule Suspicious_Size_chrome_exe" and others...
Assumed it was a "legal" keyword.
On 08/11/2016 07:26 PM, Axb wrote:
I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...
Will try to find it again.
On 08/11/2016 05:08 PM, Steven Morgan wrote:
filename does not appear as a yara keyword:
http://yara.readthedocs.io/en/latest/writingrules.html
Is it a new keyword not yet in a released version of yara? Did you mean
filesize?
On Thu, Aug 11, 2016 at 5:21 AM, Axb <axb.li...@gmail.com> wrote:
Guys,
clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK
test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
condition:
$BLAH and filename == "blah.html"
}
Am I missing something? or is filename unsupported by ClamAV's YARA
engine?
Thanks!
Axb
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
