On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users"
<clamav-users@lists.clamav.net> wrote:
yara rule loading logic works right now.
(3) a way to specify that a rule is to match in
(a) mail headers only or
(b) mail body only or
(c) both;
Just a random early thought... could .ldb be extended... by reading the
whole message processing as normal... but if its a header line mark as h,
body with a b...
So if the ldb could be extended with h/b... you could still use the normal
ldb logic...
Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex
Test;Engine:81-255,Target:0;(b0);
h=headers only line
b=body only line
So h0 hex will only match if its a header line
So b0 hex will only matt h if its a body line
Sorry for the formatting.. on mobile.
Cheers,
Steve
Twitter: @sanesecurity
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
