G.W. Haywood wrote:
Hi Kris,
On Thu, 15 Mar 2018, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...
Would you be able to send me a few samples? Preferably with full headers.
I've been able to create logical (.ldb)
Hi Kris,
On Thu, 15 Mar 2018, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...
Would you be able to send me a few samples? Preferably with full headers.
--
73,
Ged.
___
Mark Fortescue wrote:
Hi
I know nothing about YARA but you could try escaping the hash in case it
is being treated as a comment line.
e.g \#a > 1
The comment metasymbol for Yara rules is "//", but I tried this anyway
as a long shot:
$ clamscan -d foo.yar
LibClamAV Error: yyerror():
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule