Re: [clamav-users] Signature wildcard usage

Thu, 23 Dec 2010 13:21:19 -0800 

On 12/20/2010 9:34 AM, Bill Landry wrote:

On 12/20/2010 2:04 AM, Tomasz Kojm wrote:

On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landry<[email protected]> wrote:

I've been doing some testing with some of the new signature wildcards,
in particular:

• (B)
Match word boundary (including file boundaries).
• (L)
Match CR, CRLF or file boundaries.

I've found that both of these wildcards work when used singularly in any
of the following combinations:

SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B)

However, I would like to combine them on both sides of the hex
signature, but none of the following combinations work without causing
errors:

SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L)
SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L)
SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L))

Is there a way to combine these two wildcards into a single hex
signature so that it can detect any of the following combinations in an
email message:


Hi Bill,

the word boundary (B) also acts as a line marker (L), so there's no need
for using both of them at the same time.


Yes, but the (B)...(B) boundary does not work without using the
(L)...(B) boundary in these two scenarios:

beginning of line CR, CRLF boundary and word boundary (L)...(B):
================================================================
This is
example.com test message.

beginning and end of line CR, CRLF boundary (L)...(L):
======================================================
This is
example.com
test message.
===

where the domain name starts at the beginning of the line. It would work
work great with (B)...(B) if the (B) boundary supported beginning of
line detection:

^example.com

Can this be added to the (B) boundary detection?


Any further thoughts on this?

Thanks,

Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to