[clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez 
Hi all,

I wonder how I can use a backreference FilenameRegex in signatures
based on container metadata. I read the manual (signatures.pdf), peeked
into other rules (Sanesecurity) and some RTFM for OpenBSD regex without
success.

I would like to intercept some recurrent pattern in filenames, for
example (i want to match testtest.txt):

TEST.TestFilename.001:CL_TYPE_ZIP:*:(test)\1.txt:*:*:*:*:*:*

And, more "reallity-wise", i want to match filename inside a directory,
where dir and file name are the same: PATTERN/PATTERN.exe with something
like:

TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*

But i can't find a way to make it work as expected.. there is someone
who can help me? :)

Thanks in advance,

k.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread Al Varnell 
Have you used this Regular Expressions Tutorial?


-Al-

On Thu, Jul 06, 2017 at 03:31 AM, kionez wrote:
> 
> Hi all,
> 
> I wonder how I can use a backreference FilenameRegex in signatures
> based on container metadata. I read the manual (signatures.pdf), peeked
> into other rules (Sanesecurity) and some RTFM for OpenBSD regex without
> success.
> 
> I would like to intercept some recurrent pattern in filenames, for
> example (i want to match testtest.txt):
> 
> TEST.TestFilename.001:CL_TYPE_ZIP:*:(test)\1.txt:*:*:*:*:*:*
> 
> And, more "reallity-wise", i want to match filename inside a directory,
> where dir and file name are the same: PATTERN/PATTERN.exe with something
> like:
> 
> TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*
> 
> But i can't find a way to make it work as expected.. there is someone
> who can help me? :)
> 
> Thanks in advance,
> 
> k.


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread demonduck 
kionez,

Unfortunately the Regex engine (
https://github.com/vrtadmin/clamav-devel/blob/631f3e1165ed518a99e0f12f1a02a345feb2aea9/libclamav/regex/regexec.c)
for container metadata signatures (CDB) does not leverage the same engine
(PCRE) as LDB signatures. CDB signatures use the OpenBSD's libc/regex,
which does not support many regex features supported in PCRE v6 or v7.

I've bypassed this by converting my CDB to a LDB with a PCRE.

CDB:
TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*

Would become LDB (something like):
TEST.TestFilename.002;Engine:81-255,Target:0;0&1;0:504B;2,200:0/(?P[a-z]{8,12})(?P=name)\.exe/e

You may want to increase the max shift. This example only works since Zip
archives store filenames near the Zip file magic. Also, I've used the
(?P) and (?P=var) notation since it works for both PCRE v6 and v7.
Certain capture group notations only work with PCRE v7 (this may be
something to keep in mind).

I hope this helps,
demonduck

On Thu, Jul 6, 2017 at 6:41 AM, Al Varnell  wrote:

> Have you used this Regular Expressions Tutorial?
> 
>
> -Al-
>
> On Thu, Jul 06, 2017 at 03:31 AM, kionez wrote:
> >
> > Hi all,
> >
> > I wonder how I can use a backreference FilenameRegex in signatures
> > based on container metadata. I read the manual (signatures.pdf), peeked
> > into other rules (Sanesecurity) and some RTFM for OpenBSD regex without
> > success.
> >
> > I would like to intercept some recurrent pattern in filenames, for
> > example (i want to match testtest.txt):
> >
> > TEST.TestFilename.001:CL_TYPE_ZIP:*:(test)\1.txt:*:*:*:*:*:*
> >
> > And, more "reallity-wise", i want to match filename inside a directory,
> > where dir and file name are the same: PATTERN/PATTERN.exe with something
> > like:
> >
> > TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*
> >
> > But i can't find a way to make it work as expected.. there is someone
> > who can help me? :)
> >
> > Thanks in advance,
> >
> > k.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez 
#include // created 06/07/2017 14:41

Hi demonduck,

> Unfortunately the Regex engine (...) does not support many regex
> features supported in PCRE v6 or v7.
[cut]

I was afraid of this, I'm digging in to source code of libclamav's regex
to find the differences between original OpenBSD regex and the one used,
but I'm not so able to undestrand the code: i was stuck into
REG_EXTENDED flag and basic (BRE) VS extended (ERE) syntax... but your
solution is less complex ;)

I'll try to convert my rule into LDB!

Thanks!!

k.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Kris Deugau 

Mark Foley wrote:


So, the question posted below remains:

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?


Any valid signature file will be loaded and used.

Any *invalid* signature file will cause clamd to exit.

If clamd is running, and you've been able to confirm the signature file 
is being loaded, the signature will be checked.


Signatures are not platform-specific except in terms of what they're 
intended to match on.



I'm specifically asking about Eric's comment, "it requires a Win32 executable".


To answer this specific point, one of the signature fragments checks a 
byte pattern in a certain location to help ensure that it only triggers 
on files that are Win32 executables.


More generally, to confirm whether a specific signature is doing what 
it's supposed to, you need to have a file to test with that you know is 
supposed to match on that signature.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Mark Foley 
On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau  wrote
>
> Mark Foley wrote:
>
> > So, the question posted below remains:
> >
> > Will the expetr.yara rule, described in this thread, run as is, or not, on
> > Linux?
>
> Any valid signature file will be loaded and used.
>
> Any *invalid* signature file will cause clamd to exit.
>
> If clamd is running, and you've been able to confirm the signature file 
> is being loaded, the signature will be checked.
>
> Signatures are not platform-specific except in terms of what they're 
> intended to match on.
>
> > I'm specifically asking about Eric's comment, "it requires a Win32 
> > executable".
>
> To answer this specific point, one of the signature fragments checks a 
> byte pattern in a certain location to help ensure that it only triggers 
> on files that are Win32 executables.
>
> More generally, to confirm whether a specific signature is doing what 
> it's supposed to, you need to have a file to test with that you know is 
> supposed to match on that signature.
>
> -kgd

Thanks Kris, that answers my question. I somehow incorrectly took from Eric's
comment that the rule would only run on Windows, but I get that the rule is
inspecting the message for a Windows executable.

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml