Arnaud Jacques via clamav-users wrote:
Hello Kris,
[...]
> /(n\d+).htmldomstuff;function(\1);/
>
> Do any of Clam's signature types support something like this?
I use :
6e3?3?3?
that matches n000, n003, n024, n781 ...
Right, and I've used that in cases where tracking a particular
normalized variable isn't as important, but there are two problems:
1) You can't start or end the overall pattern with this
2) It's not matching "this specific normalized variable, for immediate
local values of this specific normalized variable", it's matching "any
normalized variable".
As I said in my original message, the specific sample at hand just now
came out with n007 for the specific variable.... but variations in the
scam could make that normalize to n003 or n024 or something else. I
only want to match that particular variable - irrespective of what
n\d\d\d value it normalizes *to* in any specific sample file. Which is
why I want to capture the first case, and backreference it for further
instances of it later in the pattern.
-kgd
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
