Steve,
One more question: is Sansecurity planning to distribute yara signatures
when 0.99 final is released? This will help with appropriate scheduling of
any parameter implementations.
Thanks,
Steve
On Thu, Jun 25, 2015 at 3:20 PM, Steven Morgan
wrote:
> Steve,
>
> Thanks. We'll look into add
Steve,
Thanks. We'll look into additional command line/clamd.conf options to
select or exclude signature types. This might be best done if/when Cisco
ships yara signatures, since currently users are responsible for the
content and locations of database directories regarding yara and these can
easi
Steve,
Thanks for the pointers.
We'll look in to adding a yara suffix, although it is not done for other
sig types and it is also easy to grep the sig name within the database
directory to identify the sig type/origin.
As for whitelisting yara, that code should be already in place. I'll double
c
Just a few more question to think about...
3) Clamscan --official-db-only=yes
Will that only apply to ndb's or to Yara too... or do we need
--official-yara-only=yes?
4) Clamscan --yara-signatures=no
Will there be an option like the above to disable Yara sigs
5) Will there be an option to *on
Couple of pre-coffee questions...
1)
>From what I can tell Yara signature names will be generated based on
the yara rule name provided...
eg:
testname.yara:
rule Sanesecurity.test
{
strings:
$match1 = "test"
$ignore1 = "this1"
$ignore2 = "this2"
condition:
$match1 and not ($ignore1 or $ignore2