Re: [clamav-users] Minor bug or working as intended?

Fri, 25 Feb 2022 08:42:34 -0800 

Maarten Broekman via clamav-users wrote:
There's not a lot that you can do in Yara rules that you can't do in LDB sigs... for what it's worth, here's a logical sig that detects the same thing as the Yara rules... 


mbroekman@lothlorien:~$ grep MJB.JS.SendEmail 
clamdb/javascript_sigs.ldb| sigtool --decode-sigs

VIRUS NAME: MJB.JS.SendEmailFunc-0
TDB: Engine:90-255,Target:0
LOGICAL EXPRESSION: 0>3
  * SUBSIG ID 0
  +-> OFFSET: ANY
  +-> SIGMOD: NOCASE
  +-> DECODED SUBSIGNATURE:
<script{WILDCARD_ANY_STRING(LENGTH<=1)}type="text/javascript">{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){

mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb
MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i



*nods*  Thanks.  As it was I kept at it until I did actually have a full 
Yara signature that matched as intended working around the broken 
repetition condition with the hex string instead of the regex.



.ldb signatures could definitely use more expansive documentation;  the 
examples in the PDF are really pretty simple.  Earlier on I had also 
tripped over (among other things) what might be the correct syntax for 
multiple regex matches triggered by the same "hey, wake up!" 
subsignature.  (I'm not sure I understand why that's needed, it seems 
rather awkward.)



I'll have to remember to try {-1} more often.  This isn't the first time 
I've wanted to match a character that may not be there, although I also 
usually also want to restrict matching to a subset of characters, not 
"any byte" (which is why I reached for the regex match in both my 
attempts at an ldb signature, and in the Yara signature).


-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

























					Reply via email to