I just took a peek at the code to try to answer your question. I'm not sure why, exactly, but yes there is an explicit MAX_LDB_SUBSIGS set to 64.
Regards, -Micah > On Feb 24, 2019, at 9:35 PM, Al Varnell via clamav-users > <[email protected]> wrote: > > I can’t comment on whether or not there is a 65 field limit or not, though it > appears to me to be obviously so based on your experience. > > What I will comment on is that your approach is rather unique compared to > most the .ldb signatures I’ve observed in the ClamAV database. Most all of > the latter use ‘and' rather than ‘or' rules as well as longer ascii strings > to ensure against False Positives. I have to believe there is a very > significant chance that or’ing that many short strings together will result > in many False Positive hits. > > Additionally, the strings you provided appear to contain an extra digit. I > thought hex strings always contain an even number of digits? > > -Al- > ClamXAV User > >> On Feb 24, 2019, at 3:12 PM, Satwik B via clamav-users >> <[email protected]> wrote: >> >> Hello, >> >> I am trying to generate clamav signatures for a malware dataset that I have. >> >> Initially I have recognized some strings which are prominent in a class of >> malware, hence, those are considered and a ldb signature is generated using >> the below method. >> >> The name of the signature, Engine version, Target as 0. We further have 'x' >> number of sub-signatures here x is 100 each with logical or. All the strings >> are converted to hex representation. Below is the example which is generated. >> >> ramnit.Signature;Engine:0-500,Target:0;0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99;636f6e6e6;686b65795;363530393;52656c656;633a5c5c7;436f6e766;313937313;6c6f63616;576169744;363337363;686b65795;353238363;736c65657;633a5c5c7;636f6e6e6;686b65795;633a5c5c7;737663686;363030363;633a5c5c7;313935353;633a5c5c7;636f6e6e6;6765746d6;536574437;313933393;686b65795;633a5c5c7;323232363;353537363;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;686b65795;353130363;64656c657;633a5c5c7;633a5c5c7;686b65795;53656e644;6b7975666;6c6f63616;494d41474;686b65795;686b65795;686b65795;696573716;737663686;313237303;363033353;363039383;686b65795;686b65795;633a5c5c7;686b65795;333139313;686b65795;437265617;686b65795;476574546;353631323;633a5c5c7;686b65795;496e74657;686b65795;686b65795;686b65795;686b65795;3f7365745;633a5c5c7;476574537;527063426;686b65795;686b65795;566572517;353630353;686b65795;4f70656e5;353138343;4c6f6f6b7;633a5c5c7;476574546;363139393;633a5c5c7;686b65795;353638333;676574707;6f6c65333;5065656b4;343230353;536574576;5c5c3f3f5;5265674f7;633a5c5c7;686b65795;686b65795 >> >> Now, the problem is in case there are <=65 sub-signatures then everything >> works fine however, if they increase beyond that, it results in the >> following error. >> >> LibClamAV Error: cli_loadldb: The number of subsignatures (== 65) doesn't >> match the IDs in the logical expression (== 100) >> LibClamAV Error: Problem parsing database at line 1 >> LibClamAV Error: Can't load ramnit.ldb: Malformed database >> ERROR: Malformed database >> >> Is it that the ldb signatures are limited to only 65 conditions? If not what >> causes this issue and how to solve it? >> >> -- >> Satwik > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
