On Sun, 2008-01-27 at 17:03 -0500, xue wen wrote:
> I just want to learn the format of ClamAV's signature. So I tried to build a
> signature containing a wildcard by myself. The example I used is as follows:
>
> I have made up a signature of: Worm.Yawen (Clam)=61*7c62
> where "617c62" means "a|b".
I believe this will match the string 'a|b' literally. If you want an
alternation, to match either 'a' or 'b', only hex encode the strings.
The wildcard stuff must not be hey encoded.
(61|62)
Caveat: Going from my understanding of the not-so-fine sig manual, I
have not tested this. ;)
> Then I put this signature into a .db file. When
> I didn't add the * in the signature, it can be used to match the string of
> a|b. But once I added the * into the signature, there was an error like
> this:
>
> LibClamAV Error: cli_parse_add(): Problem adding signatures (2).
> Problem parsing signature at line 1
> Problem parsing database at line 1
> Can't load daily.db: Malformed database
> ERROR: Malformed database
>
> What is wrong in my method of building the signature with wildcard?
As Török already told you Fri, wildcard signatures go into a .ndb file.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
