hi, Edwin, thank you very very much~your answer save me a lot of time and energy~ really appreciate your help But i get some confused with a phenomenon: in ClamAV .ndb sigs, the common prefix bewtween different sigs are quite few and short, or say, each two sigs have very few identical symbols(maybe in hex format) if start to compare them from the beginning to the end. However, in SNORT, those sigs abstracted from its "CONTENT" part ,which is similar to ClamAV sigs to some extent because both mainly concern about pure string filter without complex regular expressions, have relatively much more common shared prefix than ClamAV. Is there any intrinsic philosophy hidden behind or just my false guessing?
thanks~ Török Edwin wrote: > > On 2009-07-01 06:32, rayeaster wrote: >> hi, everyone, >> >> I am doing some kindof research on string match right now and I was >> trying >> to >> use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a >> simulation source. >> but I do not know how to retrieve the original signatures which are >> encrypted with MD5 in a file format: ndb, right? > > Wrong, signatures in .ndb files are simple hex signatures they not > encrypted in any way ;) > See signatures.pdf for details. > >> so if I wanna turn >> those encrypted sigs back,or say decrypt them, what exactly can I do? >> > > You can't "decrypt" MD5, at most you can obtain a collision (a file with > same MD5) but > that requires a huge amount of computing resources, and time. > Fortunately you don't have to, MD5 signatures are in .hdb and .mdb files. > > If all you need is to understand .ndb files, then you simply need to > read in hexadecimal. > >> thank you very much~ >> Really really appreciate your help~ >> >> P.S., >> some examples of .ndb rule: >> Trojan.Packed-6:1:EP+0:807c2408015690eb >> Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f >> > For example Email.Phishing.RB-1738 begins with http://www > > Best regards, > --Edwin > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > > -- View this message in context: http://www.nabble.com/how-to-get-rid-of-the-MD5-in-.ndb-sig-files-tp24282870p24285639.html Sent from the clamav-users mailing list archive at Nabble.com. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
