On 08/29/2012 09:46 AM, Maarten Broekman wrote:
>> -----Original Message-----
>> Despite the statement of your objective it isn't clear to me what you
>> think you're going to achieve. My expectation would be a very large
>> increase in the false positive rates if you attempt to use signatures
>> modified in the way you describe. Can you be more specific? Define
>> 'appropriate' and 'useful' in this context for example.
>
> The rate of false positives is wholly dependent on the strings that you
> are replacing with wildcards.
>
> As an example, when generating signatures to identify phishing content
> (say, content targeting bank customers), I wanted to be able to strip
> out 'http://' (687474703a2f2f) and 'https://' (68747470733a2f2f) from
> the hex dump (generated by sigtool) and replacing them with {7-8} (aka
> WILDCARD LENGTH 7 - 8) because I don't care if the protocol in the
> phishing content is http or https. This would remove 9 - 11 characters
> with each replacement, allowing me to fit more of the hex dump into the
> result signature which is limited to ~8k characters (including name,
> file type, and offset).
I think he meant that {7-8}facebook.com matches,
* http://facebook.com
* https://facebook.com
* i go to facebook.com
* visit facebook.com
* ...
Whether or not that's a problem depends on context. I guess <a href="i
go to facebook.com"> is not so bad, but false positives are almost by
definition unintended consequences so I'd be careful.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
