FP's because of \x##\x##\x## in Yara rules

Question

FP's because of \x##\x##\x## in Yara rules

jeroenvermeulen opened this issue 7 years ago · 2 comments

Last night MageSec's rules were updated:
https://magesec.org/download/yara-standard.yar
A Yara rule like this:

rule ccsave_cc_number_3803e
{
   strings: $ = "\x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72"
        condition: any of them

}

Also matches the text ccsave_cc_number which is what you get when you do in Bash:

echo -e "\x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72"

The solutions is to use a rule like this:

rule ccsave_cc_number_3803e_new
{
   strings: $ = "\\x63\\x63\\x73\\x61\\x76\\x65\\x5F\\x63\\x63\\x5F\\x6E\\x75\\x6D\\x62\\x65\\x72"
        condition: any of them
}

to match a file which includes the string \x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72.

Answer 1 · 2017-06-01T10:59:32.000Z

Is the intention of rule to identify the string of hex values, or to identify a string using the hex - which according to the Yara docs should normally be written as
strings: $ = { 63 63 73 61 76 65 5F 63 63 5F 6E 75 6D 62 65 72 }

If the former, which is most likely the case, then I agree with you that your revised rule would identify the hex string.

Answer 2 · 2017-06-01T12:07:11.000Z

That seems to be an erroneous import by Martin Pachol (he syncs this repo periodically to Magesec). /cc @gnuzealot. The original rule here is correct (otherwise it wouldn't pass CI).