Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'none' new token doesn't work as expected #1695

Closed
lupiotte opened this issue Apr 28, 2022 · 2 comments · Fixed by #1697
Closed

'none' new token doesn't work as expected #1695

lupiotte opened this issue Apr 28, 2022 · 2 comments · Fixed by #1697

Comments

@lupiotte
Copy link

Hello,

From my understanding the "none" statement ("none" keyword https://github.com/VirusTotal/yara/pull/1559/files ) doesn't work as I expect ;). Indeed even if a string appear in a scanned file the expression using "none" will report a true condition.
I have leveraged different version yara-v4.2.1-1934-win64 / yara-master-1798-win64 / yara-4.2.0 with the same issue.
Test done via official precompiled binaries (only x64 version tested) and executed under Windows environement (W10).

BTW you haven't included in your testing rules tests (tests/test-rules.c) which should have highlighted this issue.
image

Something like:

assert_false_rule(
"rule test { strings: $a = "dummy1" $b = "dummy2" $c = "ssi" "
"condition: none of them }",
TEXT_1024_BYTES "mississippi");

assert_false_rule(
"rule test { strings: $a1 = "dummy1" $b1 = "dummy2" $b2 = "ssi""
"condition: none of ($a*, $b*) }",
TEXT_1024_BYTES "mississippi");

Hope it's help.

Originally posted by @lupiotte in #1559 (comment)
@wxsBSD
Copy link
Collaborator

wxsBSD commented Apr 28, 2022

I think you're right about this. I should have a fix up very soon.

@wxsBSD
Copy link
Collaborator

wxsBSD commented Apr 28, 2022

At least in my defense this has nothing to do with the none keyword. You can get the same behavior with 0 of them as a condition. ;)

I think this is actually a long standing bug, but either way a fix is incoming!

wxsBSD added a commit to wxsBSD/yara that referenced this issue Apr 28, 2022
@wxsBSD
Fix an issue with none and 0 in expressions.
193eb45 
As discussed in VirusTotal#1695, there is an
issue with some expressions involving "0" (and by extension "none"). If you
said "0 of them" and one of them matched we would evaluate that expression to
true because we never checked for the special 0 case.

Turns out this bug has existed for a while now but was likely never triggered
because not many people would say "0 of them" before the "none" keyword came
around. However, the author of the issue is correct that this should have been
exposed with better tests when I implemented the none keyword.

Fixes VirusTotal#1695.
@wxsBSD wxsBSD mentioned this issue Apr 28, 2022
Merged
plusvic pushed a commit that referenced this issue Apr 28, 2022
@wxsBSD
Fix an issue with none and 0 in expressions. (#1697)
a6ccc8f 
As discussed in #1695, there is an
issue with some expressions involving "0" (and by extension "none"). If you
said "0 of them" and one of them matched we would evaluate that expression to
true because we never checked for the special 0 case.

Turns out this bug has existed for a while now but was likely never triggered
because not many people would say "0 of them" before the "none" keyword came
around. However, the author of the issue is correct that this should have been
exposed with better tests when I implemented the none keyword.

Fixes #1695.
@psrok1 psrok1 mentioned this issue Jul 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix an issue with none and 0 in expressions. wxsBSD/yara
2 participants
@wxsBSD @lupiotte