On Wed, 3 Nov 2004, Tomasz Kojm wrote:
> > Matches a case-sensitive regex of: IFRAME={256,}
> > Exploit.IFRAME.foo:*:494652414d453d??{256-}
>
> Bad format.Thank you for pointing that out, I greatly appreciate your help. Perhaps I misunderstood what the format meant when I posted the message the first time after only reading the signature documentation once. Would you be so kind as to explain how it should properly be formated based on the information above? The documentation explains that the extended format looks as follows: MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel] Did I simply miss a 3 for target type? > > You can probably all see the problem already. IfRaMe is not cought by > > our sig. Does this mean 6! (factorial) additional signatures are > > needed to match this? Am I doing this completely wrong somewhere? > > http://www.clamav.net/doc/0.80/signatures.pdf Section 4.1 (Special > files: HTML) As expressed above, I have read all 7 pages of the document before posting. Just to be sure, I read it a second time. If this particular problem has already been addressed, it is not expressly stated in the documentation. Although 4.1 comments about the script.html output are lower-cased java script, nothing is said about the case-sensitivity of the nocomment.html output. Since, after testing, it does appear to lower-case all of the files (not just script.html as indicated by documentation) then perhaps the documentation needs updated. That being stated, does the following take the proper format and is it sufficient to merge into our database? Exploit.IFRAME.foo:3:*:96672616d653d??{256-} > > > Your thoughts? > > Please RTM. 3rd time is the charm? -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
