On 08/29/2012 09:46 AM, Maarten Broekman wrote: >> -----Original Message----- >> Despite the statement of your objective it isn't clear to me what you >> think you're going to achieve. My expectation would be a very large >> increase in the false positive rates if you attempt to use signatures >> modified in the way you describe. Can you be more specific? Define >> 'appropriate' and 'useful' in this context for example. > > The rate of false positives is wholly dependent on the strings that you > are replacing with wildcards. > > As an example, when generating signatures to identify phishing content > (say, content targeting bank customers), I wanted to be able to strip > out 'http://' (687474703a2f2f) and 'https://' (68747470733a2f2f) from > the hex dump (generated by sigtool) and replacing them with {7-8} (aka > WILDCARD LENGTH 7 - 8) because I don't care if the protocol in the > phishing content is http or https. This would remove 9 - 11 characters > with each replacement, allowing me to fit more of the hex dump into the > result signature which is limited to ~8k characters (including name, > file type, and offset).
I think he meant that {7-8}facebook.com matches, * http://facebook.com * https://facebook.com * i go to facebook.com * visit facebook.com * ... Whether or not that's a problem depends on context. I guess <a href="i go to facebook.com"> is not so bad, but false positives are almost by definition unintended consequences so I'd be careful. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml