Skip to content
This repository has been archived by the owner on Apr 26, 2021. It is now read-only.

yara internal error 30 #1734

Open
mallorybobalice opened this issue Jul 26, 2017 · 13 comments
Open

yara internal error 30 #1734

mallorybobalice opened this issue Jul 26, 2017 · 13 comments

Comments

@mallorybobalice
Copy link

mallorybobalice commented Jul 26, 2017
edited
Loading

#@doomedraven (but mostly other people :D )
upgrading test and prod sandbox getting what i think we haven't seen before. (yara 2.6, newest kernel + libs + pylibs and source)

we've basically been using yara for binaries as an augmented static module (pes, docs,pdfs)

e.g. (yara) pied for pes (for better or worse) (and look i get it the recent sample examples of conflating 'all the yara sigs possible in one sample ', but you know...)

now getting yara : 'internal error 30'
running yara against the same rule set and binary in linux yields the same result

googling for what exactly the limitation is suggest it's some sort of match limitation (all the searches are about as confusing as they can get and i haven't seen anyone suggest anything to override the behaviour to a reasonable cpu + mem limit)

i'm all confused - running this against say filezilla setup always times out now . vs before (yara 2.5)

2017-07-25 18:32:48,125 [lib.cuckoo.common.objects] ERROR: Unable to match Yara signatures: internal error: 30
Traceback (most recent call last):
  File "lib/cuckoo/common/objects.py", line 331, in get_yara
    matches = rules.match(self.file_path)
Error: internal error: 30

pip:
yara-python (3.6.3)

yara --version
3.6.3

yara rules are

https://github.com/Yara-Rules/rules/archive/master.zip

using https://github.com/lehuff/cuckoo-yara-rules/blob/master/cuckoo-yara-rules.py 


	#remove any lines with Android Mobile rules-master/rules-master/

yara hits:

$ yara data/yara/index_binaries.yar storage/analyses/1471/binary
data/yara/rules-master/utils/rules-master/utils/domain.yar(10): warning: $domain_regex is slowing down scanning (critical!)
data/yara/rules-master/utils/rules-master/utils/ip.yar(10): warning: $ip is slowing down scanning
data/yara/rules-master/utils/rules-master/utils/base64.yar(14): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(672): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(900): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(1499): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(1897): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(2348): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(2951): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(2979): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(3532): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(3713): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(3871): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(3971): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(4062): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(6016): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(6508): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(6654): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(6780): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7471): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7472): warning: $b is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7599): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7690): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7754): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(7772): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(8244): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(8519): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(9954): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(10218): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(10574): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(10575): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(10785): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(10975): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(11056): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(11057): warning: $b is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(11112): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(11383): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(11437): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(12601): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(12739): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(13127): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(13173): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14010): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14011): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14020): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14146): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14907): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(14970): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(15190): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(15263): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(15290): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(15416): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(16032): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(16412): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(16612): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(16994): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(17003): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(17004): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(17984): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(18030): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(18264): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(18989): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(19071): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(19243): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(19451): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(20586): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(20811): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(20830): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(21426): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(21427): warning: $c is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(21691): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(22336): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(22905): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(22943): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(23425): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(23617): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(23743): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(24009): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(24064): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(24165): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(24781): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(24800): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(25185): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(25378): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(25379): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(26467): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(27017): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(27780): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(28061): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(28181): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(28262): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(29270): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(29490): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(29957): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(30402): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(32089): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(32270): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(32899): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(33266): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(33483): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(33592): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(33821): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(33976): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34259): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34358): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34506): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34588): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34975): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(34976): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(35012): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(36116): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(36245): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(36435): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(36710): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(36948): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37003): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37123): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37403): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37658): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37686): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37741): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(37822): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(38534): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(39162): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(39190): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(39682): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(39755): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(40384): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(40984): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(40985): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(41255): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(41282): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(41283): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(41473): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(42109): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(42608): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(44911): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(45048): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(45147): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(45567): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(46281): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(46613): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(46903): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(47042): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(47297): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(47298): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(47537): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(48103): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(48593): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50313): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50314): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50404): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50405): warning: $b is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50522): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(50549): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(51564): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(51909): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(52240): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(52357): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(52661): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(53800): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(54344): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(54345): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(55323): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(55324): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(55325): warning: $c is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(55746): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(55975): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(56397): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(56915): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(56925): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(57426): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(57767): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(57921): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(58206): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(58207): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(58361): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(58433): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(58954): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(59274): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(59556): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(60175): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(60573): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(60693): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61093): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61376): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61377): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61442): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61470): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61733): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(61925): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(62361): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(62497): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(62772): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(63085): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(63320): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(63632): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(63804): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(64062): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(65394): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(65778): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(65779): warning: $b is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(66955): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(66964): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(67199): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(67671): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(68458): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(68950): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/peid.yar(68959): warning: $a is slowing down scanning
data/yara/rules-master/Packers/rules-master/Packers/Javascript_exploit_and_obfuscation.yar(25): warning: $fff is slowing down scanning (critical!)
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(63): warning: $attrib contains .*, consider using .{N} with a reasonable value for N
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(158): warning: $shell is slowing down scanning
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(259): warning: $reg is slowing down scanning
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(295): warning: $reg0 contains .*, consider using .{N} with a reasonable value for N
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(296): warning: $reg1 contains .*, consider using .{N} with a reasonable value for N
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(402): warning: $reg0 contains .*, consider using .{N} with a reasonable value for N
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar(403): warning: $reg1 contains .*, consider using .{N} with a reasonable value for N
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/maldoc_somerules.yar(53): warning: $a is slowing down scanning
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/maldoc_somerules.yar(63): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/maldoc_somerules.yar(73): warning: $a is slowing down scanning (critical!)
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/maldoc_somerules.yar(114): warning: $a is slowing down scanning
data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar(18): warning: $activemime is slowing down scanning
data/yara/rules-master/Exploit-Kits/rules-master/Exploit-Kits/EK_Fragus.yar(197): warning: $string4 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(11): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(23): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(35): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(47): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(59): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(71): warning: $c0 is slowing down scanning (critical!)
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(93): warning: $c0 is slowing down scanning
data/yara/rules-master/Crypto/rules-master/Crypto/crypto_signatures.yar(776): warning: $c0 is slowing down scanning
data/yara/rules-master/malware/rules-master/malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
**error scanning storage/analyses/1471/binary: internal error: 30**
@doomedraven
Copy link
Contributor

lol #define ERROR_TOO_MANY_MATCHES 30

https://github.com/VirusTotal/yara/blob/2289bbabb539045d18200a5d7c49fca6e4866d06/libyara/include/yara/error.h#L75

filter your rules

@mallorybobalice
Copy link
Author

Mm already read the official position. Here's the thing though. I still don't get why there's no override or limit flag. Yes there are many rules. But I use most as info only and am ok with total run time of say 15s for yara per sample (as long as cpu time and ram bounded)

@mallorybobalice
Copy link
Author

*and some rules have many matches

@mallorybobalice
Copy link
Author

Perhaps I don't understand the underlying issue. I don't think it used to happen with 2.5 but yara mailing list suggests they 'helpfully fixed it in 2.5+)

@doomedraven
Copy link
Contributor

is bcz there too much generic rules/poor quality, try without all that rules and you will see ;)

@Nwinternights
Copy link

I agree with @doomedraven . try reduce yara rules and be aware because many of these can break the analysis or overload the mem.
Usually I use few yara rules just to have a double check: (vba, Js, shellcode, powershell, vm evasion, ole files)
regards

@SparkyNZL
Copy link

SparkyNZL commented Jul 26, 2017 via email

@mallorybobalice
Copy link
Author

mallorybobalice commented Jul 27, 2017
edited
Loading

hmmm i guess where i was going with is - i thought it used to do this less on 2.5 but anyhow.
ok, can someone share what public rules they use please?

e.g. after skimming the suggestions above I suppose i've come down to

//include "data/yara/rules-master/utils/rules-master/utils/domain.yar"
//include "data/yara/rules-master/utils/rules-master/utils/ip.yar"
include "data/yara/rules-master/utils/rules-master/utils/suspicious_strings.yar"
//include "data/yara/rules-master/utils/rules-master/utils/base64.yar"
//include "data/yara/rules-master/utils/rules-master/utils/url.yar"
//include "data/yara/rules-master/utils/rules-master/utils/magic.yar"
include "data/yara/rules-master/Packers/rules-master/Packers/peid.yar"
include "data/yara/rules-master/Packers/rules-master/Packers/Javascript_exploit_and_obfuscation.yar"
include "data/yara/rules-master/Packers/rules-master/Packers/packer.yar"
include "data/yara/rules-master/Packers/rules-master/Packers/packer_compiler_signatures.yar"
include "data/yara/rules-master/Packers/rules-master/Packers/JJencode.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PDF.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_Dridex.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_CVE-2017-0199.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_VBA_macro_code.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_Hidden_PE_file.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_UserForm.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_PowerPointMouse.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_malrtf_ole2link.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/maldoc_somerules.yar"
include "data/yara/rules-master/Malicious_Documents/rules-master/Malicious_Documents/Maldoc_Contains_VBE_File.yar"
include "data/yara/rules-master/Antidebug_AntiVM/rules-master/Antidebug_AntiVM/antidebug_antivm.yar"
include "data/yara/rules-master/embedded.yar"
include "data/yara/rules-master/shellcodes.yar"
include "data/yara/rules-master/vmdetect.yar"

I suppose in terms of static analysis type sigs (pied, and perhaps pdf/doc) - cuckoo does its own static bits via other libs.

:\ also why am in the cuckoo main repo... hmph. how'd I even get here :D ...

@jbremer
Copy link
Member

jbremer commented Jul 27, 2017

Ah yes, good find @doomedraven! :-) I'll add some handling for it to notify users about this error.

@mallorybobalice
Copy link
Author

mallorybobalice commented Jul 27, 2017
edited
Loading

@jbremer mmmm ....i mean are you guys definitely sure this is how yara behaved before?
I don't know how much people with large custom yara libs will like it as a warning/error .
is it definitely not overridable without custom compiling and what are the implications ?

@doomedraven
Copy link
Contributor

man is just a poor yara, at least looks like, if a lot of yara match one sample, not make sense have a lot of different yara for match the same no?

@jbremer
Copy link
Member

jbremer commented Jul 27, 2017
edited
Loading

I've put out a PR to yara and yara-python to address the internal error: 30 issue. Please find VirusTotal/yara-python#55 and VirusTotal/yara#717. Until those two PRs are merged and a new yara-python version is released (I'd assume this will take at least a couple of weeks) we won't be providing a workaround as there isn't really one.
The issue is as follows: there exists one or more Yara rules in your setup that contains one or more strings that trigger too many matches (at least one million). As such, these yara rules should be improved. The PRs mentioned in this comment address those issues by identifying the Yara rule & string identifier which cause the issue.

@bitninjaio
Copy link

Any update on this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jbremer @doomedraven @mallorybobalice @bitninjaio @SparkyNZL @Nwinternights