On 12/23/2010 3:58 PM, Bill Landry wrote:
On 12/23/2010 1:57 PM, Henrik K wrote:
On Thu, Dec 23, 2010 at 11:28:31PM +0200, Török Edwin wrote:
On 2010-12-23 23:20, Bill Landry wrote:
On 12/20/2010 9:34 AM, Bill Landry wrote:
On 12/20/2010 2:04 AM, Tomasz Kojm wrote:
On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landry<[email protected]>
wrote:
I've been doing some testing with some of the new signature
wildcards,
in particular:
? (B)
Match word boundary (including file boundaries).
? (L)
Match CR, CRLF or file boundaries.
I've found that both of these wildcards work when used singularly in
any
of the following combinations:
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L)
SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B)
However, I would like to combine them on both sides of the hex
signature, but none of the following combinations work without
causing
errors:
SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L)
SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L)
SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L))
Is there a way to combine these two wildcards into a single hex
signature so that it can detect any of the following combinations
in an
email message:
Hi Bill,
the word boundary (B) also acts as a line marker (L), so there's
no need
for using both of them at the same time.
Yes, but the (B)...(B) boundary does not work without using the
(L)...(B) boundary in these two scenarios:
beginning of line CR, CRLF boundary and word boundary (L)...(B):
================================================================
This is
example.com test message.
beginning and end of line CR, CRLF boundary (L)...(L):
======================================================
This is
example.com
test message.
===
where the domain name starts at the beginning of the line. It would
work
work great with (B)...(B) if the (B) boundary supported beginning of
line detection:
^example.com
Can this be added to the (B) boundary detection?
(B)6578616d706c652e636f6d
Any further thoughts on this?
This matches example.com at beginning of line, or at a word boundary:
Foo:0:*:(B)6578616d706c652e636f6d
===== cat test.mail =====
Return-Path: x
Received: x
Xxx
example.com
xxX
=====================
Foo:4:*:(B)6578616d706c652e636f6d(B)
test.mail: OK
Foo:4:*:6578616d706c652e636f6d
test.mail: Foo.UNOFFICIAL FOUND
Foo:0:*:(B)6578616d706c652e636f6d(B)
test.mail: Foo.UNOFFICIAL FOUND
Obviously we want to match mail files here, seems there's a bug
handling it.
Yes indeed, the target type needs to be set to "4" (mail file) or we
miss all encoded emails.
Still wondering if this support will be added or not?
Regards,
Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
