No data returned from pescanner.py when multiple yara rules supplied. Possible bug in yara-python? #29
Comments
|
From johnmcca...@gmail.com on October 07, 2011 13:18:54 Went back to the original rule file & tried commenting out all but one rules that were actually matching my test binary. That caused normal behavior to return as well. doesn't seem to matter which one I leave uncommented. This is a bit of a puzzler. |
|
From johnmcca...@gmail.com on October 10, 2011 12:00:15 For what it's worth, I went into my Ubuntu VM, and tried recompiling everything, and it appears to work correctly there, so I guess there must be something squirrely with my Cygwin environment. |
|
From plus...@gmail.com on December 17, 2011 05:34:48 Status: Invalid |
|
From john.mcc...@motorolasolutions.com on July 20, 2012 15:11:53 No comment was added when this was closed... Did anybody ever validate that this can be made to work properly in cygwin with very large yara rule sets? I have over 2000, and am wondering whether this may be the cause of the issue. |
From johnmcca...@gmail.com on October 07, 2011 22:06:37
What version of the product are you using? On what operating system? Yara-1.6, Yara-Python-1.6, compiled & installed under cygwin on Windows 7 x64. Please provide any additional information below. Yara-1.6 compiles, installs, and appears to function correctly. yara-python-1.6 also appears to compile and install correctly. However I note when attempting to run pescanner.py, which uses yara-python, that whenever I scan a binary with my whole yara rules file, no output is produced, not even the output normally seen when no yara rules are supplied. Reducing the ruleset progressively shows something even more odd. I can get the file down to two entries (simple ones, with only a single string and condition statement in each), removing either of which will result in the file processing correctly... And it's not necessary for both rules to match to generate the problem. There are also a significant number of rules which seem to coexist peacefully. I reiterate also that the regular yara command line program processes my full rule list perfectly, and produces normal expected output.
I'm not absolutely certain, but I think this was working normally at one point. However I haven't been able to revert anything that I think I've changed recently and get it to function correctly again.
Also, I think something similar is happening to the volatility malfind plugin, which I just installed for testing. In any case, it's not producing expected output. This is why I suspect something wrong with yara-python.
The problem may actually be with my build environment, but I'd like to know for sure that pescanner.py is working normally on target files with multiple yara rule matches under yara-1.6 and yara-python-1.6.
Anyone seen anything like this before?
Thanks
John
Original issue: http://code.google.com/p/yara-project/issues/detail?id=29
The text was updated successfully, but these errors were encountered: