Re: [clamav-users] signature too short

Thu, 26 Jul 2012 06:53:59 -0700 

On 26 Jul 2012 at 14:05, Alexandre Dias wrote:

> Are you trying to add those exact strings?
> 
> Signatures in ClamAV are in hexadecimal format. The strings that you are
> trying to add are composed of characters instead.
> 
> So instead of having for example "Vigra", what you need is "5669677261",
> which is the hexadecimal representation of "Vigra".

Thank you Alexandre, but I know that and my script does the transcoding. The 
second 
signature is for instance coded as:
Sanesecurity.Pierre.35:0:*:566967726120*687474703a2f2f{-20}646f63746f722e7275

sigtool --decode-sig <file.ndb says:
VIRUS NAME: Sanesecurity.Pierre.35
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
Vigra 
{WILDCARD_ANY_STRING}http://{WILDCARD_ANY_STRING(LENGTH<=20)}doctor.ru

> Your first signature only has one character ("$") between the "{-20}" and
> "*" wildcards. If I'm not mistaken, you need at least two characters
> between wildcards.

I have not seen this limitation in the "Creating signatures for ClamAV" 
document I found on 
the Internet but I think I already experienced problems with 1 character 
between wildcards, 
indeed.

> I'm not sure about your second signature.

Generally when I have such a "too short" problem I change a little bit the 
signature until 
something works, but here I wanted to finally understand my problem. And I 
think I'm 
progressing: while decoding the signatures with sigtool, I discovered that the 
signature 
following the reported one is erroneous (Decoding failed) ! It seems the error 
message is 
somewhat misleading...

[update] If I remove the signatures following signature 35, it works. Then I 
fixed the error in 
the signature 36 and the error re-appeared. Signature 36 (the last one) looks 
like:
VIRUS NAME: Sanesecurity.Pierre.36
TARGET TYPE: ANY FILE
OFFSET: EOF-80
DECODED SIGNATURE:
{WILDCARD_ANY_STRING}{LINE_MARKER_LEFT}http://{WILDCARD_ANY_STRING(LEN
GTH<=20)}.html 
{WILDCARD_ANY_STRING(LENGTH>=20&&<=40)}{LINE_MARKER_RIGHT}

The signature looks strange but it is a try to catch emails made of (only) one 
small line of text 
ending with a url.

If someone has a definitive answer on the "too short" message...

Thanks,
Pierre


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to