problem encountered with loki when search for a hash #95
Comments
|
Yes, it's a bug in yara-python. See the issue that I've opened here: |
|
I was able to get the hash errors to stop on kali-rolling after installing libssl-dev. After that, constructing the virtualenv and running loki seems to work just fine with no warnings.
At this point, Loki seems to be happy and runs with I was chasing github issues and managed to find a lead at TheHive-Project/Cortex-Analyzers#62 that pointed towards the missing package. |
|
Is there any workaround with this? libssl-dev is not available on macOS and openssl is 1.0.2s |
|
I‘d say that this is a YARA issue and only indirectly related to LOKI.
Isn’t it?
Please ask these questions in YARA’s github issues section.
https://github.com/VirusTotal/yara/issues
On Mon 8. Jul 2019 at 18:59, Brian Tate ***@***.***> wrote:
Is there any workaround with this? libssl-dev is not available on macOS
and openssl is 1.0.2s
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#95?email_source=notifications&email_token=AAVYFJFBCXYO2IVQZU4IK5LP6NXA7A5CNFSM4ELBWK3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZNWZZY#issuecomment-509308135>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAVYFJEXMAHYFYL2O7ZXUHDP6NXA7ANCNFSM4ELBWK3A>
.
--
Florian Roth
Key material (Keybase, S/MIME, PGP, Threema):
https://keybase.pub/johngalt/
|
Hello,
I encountered a problem when I used loki with an unconventional researsh for hashes (MD5, SHA1, SHA 256)
I explain :
for some reason, I don't want search for a hash (for instance a MD5 one) with a full hash. So, I used a partial hash. (e.g. 10 fisrt characteres of the MD5 instead of 32)
Hence, I can't used the usefull raw file .\loki\signature-base\iocs\hash-iocs.txt . So, I try to use a yara rule for this aim like this one :
import "hash"
rule md5_<10 first char>{
conditions:
hash.md5(0,filesize) contains "<10 first char>"
}
The problem is loki generate an error during the initializing phase and the rule is not valid :
'SyntaxError: : invalid field name "md5" '
Nevertheless, the rule is valid and work well when I use it with yara in versions from 3.4 to 3.7 (import "hash" is not supported in versions prior to 3.4)
The problem with loki is the same in windows and linux environnements and when I use, for both of them, the executable version of loki and the python version (python 2.7 and 3.6, with yara-python module installed).
Do you know this problem ? Is it a bug ?
How can I fix this problem ?
Thank you.
Regards.
The text was updated successfully, but these errors were encountered: