Thank you for fast reply,
Sorry for bothering you again. I am missing something in this huge project.
I cannot understand why both functions: cli_ac_scanbuff and
cli_ac_scanbuff are called in one cli_scandesc() function call.
I just have one signature in database and for me it was obvious that
file will be scanned once using AC or BM. But both algorithms are
used. Have a look below:
Here is output:
--------------output-------------
groot->maxpatlen: 24
troot->ac_only IN TROOT!!!1
<<<<<<<<<<<cli_ac_scanbuff_function_call>>>>>>>>>>>><<<<<<<<<<<root->ac_root6488480>>>>>>>>>>>>
RET IN TROOT!!!0
groot->ac_only IN GROOT!!!0
<<<<<<<<<<<cli_bm_scanbuff_function_call>>>>>>>>>>>>><<<<<<<<<<<root6346288>>>>>>>>>>>>
RET IN GROOT!!!1
------------end_output---------------------
from this code:
------------code--------------------
if(troot) {printf("\ntroot->ac_only IN TROOT!!!%d \n",troot->ac_only);
if(troot->ac_only || (ret = cli_bm_scanbuff(upt, length,
ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL,
troot,
&tdata, offset, ftype, desc, ftoffset, acmode, NULL);
printf("\nRET IN TROOT!!!%d \n", ret);
if(ret == CL_VIRUS) {
free(buffer);
if(!ftonly)
cli_ac_freedata(&gdata);
<----------cut----------->
else
return CL_VIRUS;
}
}
if(!ftonly) {printf("\ngroot->ac_only IN GROOT!!!%d \n",groot->ac_only);
if(groot->ac_only || (ret = cli_bm_scanbuff(upt, length,
ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL,
groot,
&gdata, offset, ftype, desc, ftoffset, acmode, NULL);
printf("\nRET IN GROOT!!!%d \n", ret);
if(ret == CL_VIRUS) {
free(buffer);
cli_ac_freedata(&gdata);
<----------cut----------->
--------------end_code------------------
Maybe there is something magic with groot & troot but they are just
pointing to cli_matcher struct.
struct cli_matcher *groot = NULL, *troot = NULL;
struct cli_matcher {
/* Extended Boyer-Moore */
uint8_t *bm_shift;
struct cli_bm_patt **bm_suffix;
struct hashset md5_sizes_hs;
uint32_t *soff, soff_len; /* for PE section sigs */
uint32_t bm_patterns;
/* Extended Aho-Corasick */
uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs;
struct cli_ac_lsig **ac_lsigtable;
struct cli_ac_node *ac_root, **ac_nodetable;
struct cli_ac_patt **ac_pattable;
uint8_t ac_mindepth, ac_maxdepth;
uint16_t maxpatlen;
uint8_t ac_only;
};
Am I missing something?
Best Regards,
Tom
On Tue, Dec 9, 2008 at 5:00 PM, Török Edwin <[EMAIL PROTECTED]> wrote:
> On 2008-12-09 18:51, Thomasz Blaszczyk wrote:
>> Thank you for answer,
>>
>> I have another question. I cannot figure out meaning for ftonly and troot.
>> Can I get some explanation for this 2 variables?
>>
>> They are used in matcher.c [code snipped]:
>>
>> if(!ftonly && (ret = cli_ac_initdata(&gdata, groot->ac_partsigs,
>> groot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
>> return ret;
>>
>
> ft stands for filetype.
>
>> if(troot) {
>> if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs,
>> troot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
>> return ret;
>> }
>
> Look at signatures.pdf again, in the .ndb format each pattern has a
> TargetType field, hence a different trie is used for each type.
>
> As for groot, there is a comment explaining what it is:
> groot = ctx->engine->root[0]; /* generic signatures */
>
>
> Best regards,
> --Edwin
> _______________________________________________
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
