Giters

JusticeRage / Manalyze

A static analyzer for PE executables.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unable to parse ClamAV signatures

BlackHoneyBear opened this issue · comments

commented

C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
Downloading: daily.cvd Bytes: 41899296
Rule Eicar-Test-Signature already exists!
Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping...
Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping...
Unable to translate a logical signature for Win.Trojan.B-468. Skipping...
Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping...
Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping...
Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping...
Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping...
Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping...
Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping...
Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping...
Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping...
Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping...
Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping...
Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping...
Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping...
Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping...
Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping...
Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping...
Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping...
Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping...
Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping...
Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping...
Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping...
Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping...
Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping...
Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping...
Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping...
Unable to understand the following offset: 5c6a706567626c6970{-250}66666438

commented

Hi! Could you please provide additional information regarding what the issue is?
ClamAV rules cannot be easily translated to Yara and some failures are to be expected for a few of them. To the best of my knowledge, this script remains the most comprehensive to date.

While a few rules are rejected, are the rest of them generated correctly?

commented

no nothing can be generated

commented

another way to do this is use sigtools provided with clamav to parse .cvd file and then use parse script provided with this code to convert into yara

commented

I have just tried generating the rules from the script, but it still works on my end. I'm afraid you'll have to provide more details as to what is going on.

commented

C:\Users\50CAL\Desktop\test software\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
Downloading: daily.cvd Bytes: 41908540
Rule Eicar-Test-Signature already exists!
Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping...
Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping...
Unable to translate a logical signature for Win.Trojan.B-468. Skipping...
Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping...
Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping...
Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping...
Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping...
Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping...
Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping...
Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping...
Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping...
Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping...
Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping...
Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping...
Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping...
Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping...
Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping...
Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping...
Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping...
Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping...
Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping...
Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping...
Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping...
Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping...
Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping...
Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping...
Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping...
Unable to understand the following offset: 5c6a706567626c6970{-250}66666438
image

commented

it parse main.cvd butt could not parsed daily,cvd files look above comment

commented

Everything is appended to clamav.yara... It seems that everything is working fine.

commented

actualy daily.vcd is not appended because there is tar file and ndb anf ldb files which remains unresolved. this is because it was unable to parse

commented

Is the Python script throwing any kind of exception?

commented

no not any exception you may need to reveiw the parser script

commented

Thanks for reporting this issue. I've finally looked into it and it should be fixed. Let me know if it works for you now!

commented

I Got the issue while updating YARA signatures of Clam AV
Even i am using new Python script:

Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
Downloading: daily.cvd Bytes: 46149729
Rule Eicar-Test-Signature already exists!
Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping...
Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping...
Unable to translate a logical signature for Win.Trojan.B-468. Skipping...
Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping...
Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping...
Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping...
Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping...
Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping...
Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping...
Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping...
Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping...
Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping...
Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping...
Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping...
Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping...
Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping...
Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping...
Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping...
Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping...
Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping...
Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping...
Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping...
Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping...
Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping...
Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping...
Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping...
Unable to understand the following offset: 5c6a706567626c6970{-250}66666438

Script I am using FYI
parse_clamav.zip

Database not get updated upto latest DB

commented

I'm currently able to download and translate the official ClamAV signatures with the Python script. I'm not sure if it is because of a bugfix on my end or an update on the rules, but I guess I'll close the issues related to this script for now.