On Sun, 2008-01-27 at 16:44 -0500, xue wen wrote:
> The signature I have made up is like this:
>
> Worm.Yawen (Clam)=61*7c62
>
> where "617c62" means "a|b". Once I add the wildcard into this signature,
> there will be an error, no matter I put it into a .db or .ndb file. Is there
> something wrong of the way I build my signature?
As I've pointed out in a related post 2 days ago, there seems to be a
limitation on the signatures and minimum lengths of sub-signatures, when
wildcards are involved.
A single char before the wildcard does not work. You'll need at least 2
chars before and after the wildcard.
6161*6262
The above will match any stream, that contains two consecutive 'a', and
two consecutive 'b' at any point later. Oh, and this time, I checked by
building a sig. ;)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
