-
Notifications
You must be signed in to change notification settings - Fork 1.7k
yara internal error 30 #1734
Comments
lol filter your rules |
Mm already read the official position. Here's the thing though. I still don't get why there's no override or limit flag. Yes there are many rules. But I use most as info only and am ok with total run time of say 15s for yara per sample (as long as cpu time and ram bounded) |
*and some rules have many matches |
Perhaps I don't understand the underlying issue. I don't think it used to happen with 2.5 but yara mailing list suggests they 'helpfully fixed it in 2.5+) |
is bcz there too much generic rules/poor quality, try without all that rules and you will see ;) |
I agree with @doomedraven . try reduce yara rules and be aware because many of these can break the analysis or overload the mem. |
the PEiD rule only breaks on some types of binaries. I keep it in there and
just ignore the error when it does break
…On Thu, Jul 27, 2017 at 8:27 AM, Nwinternights ***@***.***> wrote:
I agree with @doomedraven <https://github.com/doomedraven> . try reduce
yara rules and be aware because many of these can break the analysis or
overload the mem.
Usually I use few yara rules just to have a double check: (vba, Js,
shellcode, powershell, vm evasion, ole files)
regards
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1734 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AQ_imMMYq4eNj12DLoFesfgbWi5O8iQnks5sR6EagaJpZM4Oj0MY>
.
|
hmmm i guess where i was going with is - i thought it used to do this less on 2.5 but anyhow. e.g. after skimming the suggestions above I suppose i've come down to
I suppose in terms of static analysis type sigs (pied, and perhaps pdf/doc) - cuckoo does its own static bits via other libs. :\ also why am in the cuckoo main repo... hmph. how'd I even get here :D ... |
Ah yes, good find @doomedraven! :-) I'll add some handling for it to notify users about this error. |
@jbremer mmmm ....i mean are you guys definitely sure this is how yara behaved before? |
man is just a poor yara, at least looks like, if a lot of yara match one sample, not make sense have a lot of different yara for match the same no? |
I've put out a PR to |
Any update on this? |
#@doomedraven (but mostly other people :D )
upgrading test and prod sandbox getting what i think we haven't seen before. (yara 2.6, newest kernel + libs + pylibs and source)
we've basically been using yara for binaries as an augmented static module (pes, docs,pdfs)
e.g. (yara) pied for pes (for better or worse) (and look i get it the recent sample examples of conflating 'all the yara sigs possible in one sample ', but you know...)
now getting yara : 'internal error 30'
running yara against the same rule set and binary in linux yields the same result
googling for what exactly the limitation is suggest it's some sort of match limitation (all the searches are about as confusing as they can get and i haven't seen anyone suggest anything to override the behaviour to a reasonable cpu + mem limit)
i'm all confused - running this against say filezilla setup always times out now . vs before (yara 2.5)
yara rules are
yara hits:
The text was updated successfully, but these errors were encountered: