Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Mark Foley
On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau wrote > > Mark Foley wrote: > > > So, the question posted below remains: > > > > Will the expetr.yara rule, described in this thread, run as is, or not, on > > Linux? > > Any valid signature file will be loaded and used. > > Any *invalid* signature fil

Re: [clamav-users] How to know if yara rules are being run?

2017-07-06 Thread Kris Deugau
Mark Foley wrote: So, the question posted below remains: Will the expetr.yara rule, described in this thread, run as is, or not, on Linux? Any valid signature file will be loaded and used. Any *invalid* signature file will cause clamd to exit. If clamd is running, and you've been able to co

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez
#include // created 06/07/2017 14:41 Hi demonduck, > Unfortunately the Regex engine (...) does not support many regex > features supported in PCRE v6 or v7. [cut] I was afraid of this, I'm digging in to source code of libclamav's regex to find the differences between original OpenBSD regex a

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread demonduck
kionez, Unfortunately the Regex engine ( https://github.com/vrtadmin/clamav-devel/blob/631f3e1165ed518a99e0f12f1a02a345feb2aea9/libclamav/regex/regexec.c) for container metadata signatures (CDB) does not leverage the same engine (PCRE) as LDB signatures. CDB signatures use the OpenBSD's libc/regex

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread Al Varnell
Have you used this Regular Expressions Tutorial? -Al- On Thu, Jul 06, 2017 at 03:31 AM, kionez wrote: > > Hi all, > > I wonder how I can use a backreference FilenameRegex in signatures > based on container metadata. I read the manual (signatur

[clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez
Hi all, I wonder how I can use a backreference FilenameRegex in signatures based on container metadata. I read the manual (signatures.pdf), peeked into other rules (Sanesecurity) and some RTFM for OpenBSD regex without success. I would like to intercept some recurrent pattern in filenames, for ex