Missing error log on broken yara rule (runtime)
HashtagMarkus opened this issue · comments
Hi,
I stumbled over a problem which took me quite some time to get a grip on.
I was testing a huge set of yara rules using kraken inside a Windows Test VM. The compiler worked fine, so the yara rule was syntactically correct. However, I think there is an issue with rules which don't work during runtime. As an example see the following two rules:
rule test1 {
condition:
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].subject contains "Solid Loop" or
pe.signatures[i].subject contains "Ultimate Computer Support"
)
}
rule test2 {
condition:
filename == "test.txt"
}
I believe test1
condition might be incorrect during runtime because of the missing MZ header check uint16(0) == 0x5a4d
. (test1
is a striped down version of https://github.com/Neo23x0/signature-base/blob/master/yara/apt_turla_gazer.yar). Using this version, test2 is never executed on kraken. (This also means on a huge ruleset, all other rules are not executed)
When I add the MZ header condition to test1
, test2
rule is working as expected. This behavior leads to a whole lot of yara rules not being tested and without kraken logging any problem.
I'm not sure if this is a go-yara or a kraken issue, however using yara64.exe with the compiled ruleset I cannot see this behavior. Do you have a guide on how to debug such a scenario?