Micah Snyder (micasnyd) via clamav-users wrote:
G.W. Haywood wrote:
Execution time will be important for scanning filesystems, less so for
scanning mail (at least for scanning low-volume mail) and readability
can be hugely important if you're writing a lot of rules. Perhaps we
should be asking the development team for readable LDB rules? :)
Creating a new "human readable", or "human friendly", signature language
is something that I've brought up many times this past 6 months in our
team meetings. I think it's more feasible than trying to make Yara
rules fully functional in ClamAV, or than trying to make our signatures
look the same as Yara.
I toyed a bit with using the KDL document language
(https://github.com/kdl-org/kdl) as a base for a new format. My thought
is it could be "compiled" or converted to more compact line of text
prior to distribution, or unpacked/decompiled for readability as
needed. I am hoping we can spend some time these next few months
investigating it further, once 0.105 is out. With our Rust language
integration working rather nicely these days, we should be able to
leverage the language and library ecosystem for this effort making it
far easier to implement than with C.
For some types of content, just allowing a plain ASCII string instead of
the hex-coded version of the same would be a big help. Or an
enhancement in the current file formats allowing embedded comments -
I've lost track of how many times I've created something complex, and
had to reconstruct whatever logic I used to create it to make a tweak or
refinement - or just gave up and created a new signature - because
there's no way to document it in-band. Ignoring empty lines -
especially at the end of the signature file! - instead of just claiming
"invalid signature" would ease editing.
A disclaimer: This is purely brainstorming, and I have no idea if we
would continue with the KDL idea or find something else. Here are some
examples from my short time spent brainstorming this a few months back.
// example logical signature
[snip]
TBH that looks almost identical to the Yara rule syntax at a quick look.
Hard to say whether it would be better to spend time spinning up yet
another signature format, or fixing edge cases in one that's already
present and in use.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml