I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule badstyle {
strings:
$a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
condition:
#a > 1
}
and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message. (Note, this isn't what I'd use as a live signature!)
If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.
Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above. Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
