Steve, I like the idea, but why the hex; hex? Just thinking about my recent issues with direct deposit phishing emails from gmail.com and they are written probably by people, so I can’t really hash it, and have to regex it.
> On Mar 16, 2022, at 5:10 PM, Steve Basford <steveb_cla...@sanesecurity.com> > wrote: > > On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > >> yara rule loading logic works right now. >> >> > (3) a way to specify that a rule is to match in >> > (a) mail headers only or >> > (b) mail body only or >> > (c) both; >> >> > > Just a random early thought... could .ldb be extended... by reading the whole > message processing as normal... but if its a header line mark as h, body > with a b... > > So if the ldb could be extended with h/b... you could still use the normal > ldb logic... > > Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex > > Test;Engine:81-255,Target:0;(b0); > > h=headers only line > b=body only line > > So h0 hex will only match if its a header line > So b0 hex will only matt h if its a body line > Sorry for the formatting.. on mobile. > > Cheers, > > Steve > Twitter: @sanesecurity > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml