Re: [clamav-users] Signature wildcard usage

Bill Landry Thu, 23 Dec 2010 15:59:18 -0800

On 12/23/2010 1:57 PM, Henrik K wrote:

On Thu, Dec 23, 2010 at 11:28:31PM +0200, Török Edwin wrote:

On 2010-12-23 23:20, Bill Landry wrote:

On 12/20/2010 9:34 AM, Bill Landry wrote:

On 12/20/2010 2:04 AM, Tomasz Kojm wrote:

On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landry<[email protected]>  wrote:

I've been doing some testing with some of the new signature wildcards,
in particular:


? (B)
Match word boundary (including file boundaries).
? (L)
Match CR, CRLF or file boundaries.

I've found that both of these wildcards work when used singularly in
any
of the following combinations:

SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B)

However, I would like to combine them on both sides of the hex
signature, but none of the following combinations work without causing
errors:

SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L)
SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L)
SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L))

Is there a way to combine these two wildcards into a single hex
signature so that it can detect any of the following combinations in an
email message:


Hi Bill,

the word boundary (B) also acts as a line marker (L), so there's no need
for using both of them at the same time.


Yes, but the (B)...(B) boundary does not work without using the
(L)...(B) boundary in these two scenarios:

beginning of line CR, CRLF boundary and word boundary (L)...(B):
================================================================
This is
example.com test message.

beginning and end of line CR, CRLF boundary (L)...(L):
======================================================
This is
example.com
test message.
===

where the domain name starts at the beginning of the line. It would work
work great with (B)...(B) if the (B) boundary supported beginning of
line detection:

^example.com

Can this be added to the (B) boundary detection?

(B)6578616d706c652e636f6d

Any further thoughts on this?


This matches example.com at beginning of line, or at a word boundary:
Foo:0:*:(B)6578616d706c652e636f6d


===== cat test.mail =====
Return-Path: x
Received: x

Xxx
example.com
xxX
=====================

Foo:4:*:(B)6578616d706c652e636f6d(B)
test.mail: OK

Foo:4:*:6578616d706c652e636f6d
test.mail: Foo.UNOFFICIAL FOUND

Foo:0:*:(B)6578616d706c652e636f6d(B)
test.mail: Foo.UNOFFICIAL FOUND

Obviously we want to match mail files here, seems there's a bug handling it.

Yes indeed, the target type needs to be set to "4" (mail file) or wemiss all encoded emails.


Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Signature wildcard usage

Reply via email to