Hi and thanks for the follow-up. As I understand this is a limitation of
ClamAV's parser for YARA rules. If this is the case there's little we
can do on the Ubuntu side to add support for it, and I'd suggest you to
file a bug or feature request to ClamAV upstream.
This is what I deduced from some digging into issues and mailing list
discussions, but I couldn't find a clear statement about uint32be not
being supported, we still have a question mark here. Do you have reasons
to expect uint32be to be supported by ClamAV?
(I am not familiar at all with YARA rules, but I assume that uint32be is
a type cast to Unsigned Integer 32bit Big Endian. In your example above
conditions like
uint32be(0) == 0x7B5C7274
look like odd "always false" conditions to me, but again I don't really
know.)
** Changed in: clamav (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883857
Title:
Not supported "uint32be" condition in yara rules
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1883857/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
