Hi Micah,
On Tue, 1 Mar 2022, Micah Snyder (micasnyd) via clamav-users wrote:
... Perhaps we should be asking the development team for readable LDB rules? :)
Creating a new "human readable", or "human friendly", signature
language is something that I've brought up many times this past 6
months in our team meetings. I think it's more feasible than trying
to make Yara rules fully functional in ClamAV, or than trying to
make our signatures look the same as Yara.
My feeling is that quite possibly you're right, but I would want to
investigate the possibilities if any of some kind of Yara library.
With admittedly a few reservations, I like Yara rules a lot for their
simplicity and readability. I'd like a bit more flexibility, and the
odd feature - more on that later.
I toyed a bit with using the KDL document language ...
(https://github.com/kdl-org/kdl) as a base for a new format. My
thought is it could be "compiled" or converted to more compact line
of text prior to distribution, or unpacked/decompiled for
readability as needed. I am hoping we can spend some time these
next few months investigating it further, once 0.105 is out. With
our Rust language integration working rather nicely these days, we
should be able to leverage the language and library ecosystem for
this effort making it far easier to implement than with C.
Heh, I used to write C libraries so that I could still use C. :/
A disclaimer: This is purely brainstorming ...
Understood.
// example logical signature
...
// example .ign signature
...
// example .crb trusted cert
...
// Example .crb revoked certificate
...
Weeeellllll... an improvement, but _still_ butt ugly compared to Yara.
I haven't thought through all the implications of allowing plaintext
... but I feel this project is doable.
:)
I am particularly interested in feedback from those of you who write
ClamAV signatures regularly ...
Count me in. You must know by now that I only scan emails. One of
the things I'd love to have from Yara/whatever which I don't have at
present is something to declare rules which will only match headers or
bodies in emails. If you draped me over a cauldron of boiling oil I
could do it with a regex but it would make life extremely tedious. I
split messages into header+body in a milter and scan them separately
anyway but to do what I really want ATM would need two copies of clamd
using one to scan the headers and the other to scan the bodies. I've
occasionally run more than one clamd for testing, but so far resisted
the temptation to do that in production. Another is some sort of test
facility so you could run samples through a new ruleset before it goes
live on the clamd server *and* get verbose feedback about the matching
process which you wouldn't want when it's live. Oh, and a parser that
actually notices if there are missing curly braces... :/
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
