On 2009-07-01 06:32, rayeaster wrote: > hi, everyone, > > I am doing some kindof research on string match right now and I was trying > to > use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a > simulation source. > but I do not know how to retrieve the original signatures which are > encrypted with MD5 in a file format: ndb, right?
Wrong, signatures in .ndb files are simple hex signatures they not encrypted in any way ;) See signatures.pdf for details. > so if I wanna turn > those encrypted sigs back,or say decrypt them, what exactly can I do? > You can't "decrypt" MD5, at most you can obtain a collision (a file with same MD5) but that requires a huge amount of computing resources, and time. Fortunately you don't have to, MD5 signatures are in .hdb and .mdb files. If all you need is to understand .ndb files, then you simply need to read in hexadecimal. > thank you very much~ > Really really appreciate your help~ > > P.S., > some examples of .ndb rule: > Trojan.Packed-6:1:EP+0:807c2408015690eb > Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f > For example Email.Phishing.RB-1738 begins with http://www Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
