Mailing List Archive: Creating signature excluding part of string

Creating signature excluding part of string

Aug 26, 2011, 4:07 AM

Post #1 of 4 (1756 views)

Hi,

I am trying to create a signature that match a pattern, but it should not match
when a specific pattern is present.

From the documentation:
. !(aa|bb|cc|..)
Match any byte except aa and bb and cc.. (ClamAV >0.96)

I have searched a lot, but can not find any example using this wildcard.

This is what I am trying to do:

This should not be a match:
string1 [10.11.12.13] this is string2

This should match regardless what ##.##.##.## contains (execept 10.11.12.13):
string1 [##.##.##.##] this is string2

I have created a signature like this:

Mysignature.ndb
Mysignature.01:0:*:string1{-2}!([10.11.|12.13]) this is string2

But I can't get it work.

Did I misunderstand how to use the wildcard "!" ?

Thank you for your help!

Best regards
Asle Skage

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Creating signature excluding part of string [ In reply to ]

tkojm at clamav

Aug 26, 2011, 4:13 AM

Post #2 of 4 (1699 views)

Permalink

On Fri, 26 Aug 2011 13:07:45 +0200 Asle Skage <asle.skage@online.no> wrote:
> Hi,
>
> I am trying to create a signature that match a pattern, but it should not match
> when a specific pattern is present.
>
> From the documentation:
> . !(aa|bb|cc|..)
> Match any byte except aa and bb and cc.. (ClamAV >0.96)

This only works for single bytes, not for strings. You need to use
logical signatures, eg:

SigName;Target:0;0&1=0;pattern0;pattern1

This signature will only be reported if pattern0 gets matched and
pattern1 doesn't (1=0 means "pattern with ID 1 must be matched 0 times").

HTH,

--
oo ..... Tomasz Kojm <tkojm@clamav.net>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Fri Aug 26 13:08:48 CEST 2011
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Creating signature excluding part of string [ In reply to ]

asle.skage at online

Aug 26, 2011, 7:47 AM

Post #3 of 4 (1688 views)

Permalink

Thank you!
That worked as expected.

The same story: Reading the manual more thoroughly cold have told me
the same!

Best regards
Asle Skage

----- Original Message -----
From: "Tomasz Kojm" <tkojm@clamav.net>
To: "ClamAV Development" <clamav-devel@lists.clamav.net>
Sent: Friday, August 26, 2011 1:13 PM
Subject: Re: [Clamav-devel] Creating signature excluding part of string

> On Fri, 26 Aug 2011 13:07:45 +0200 Asle Skage <asle.skage@online.no>
> wrote:
>> Hi,
>>
>> I am trying to create a signature that match a pattern, but it should not
>> match
>> when a specific pattern is present.
>>
>> From the documentation:
>> . !(aa|bb|cc|..)
>> Match any byte except aa and bb and cc.. (ClamAV >0.96)
>
> This only works for single bytes, not for strings. You need to use
> logical signatures, eg:
>
> SigName;Target:0;0&1=0;pattern0;pattern1
>
> This signature will only be reported if pattern0 gets matched and
> pattern1 doesn't (1=0 means "pattern with ID 1 must be matched 0 times").
>
> HTH,
>
> --
> oo ..... Tomasz Kojm <tkojm@clamav.net>
> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
> \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
> //\ /\ Fri Aug 26 13:08:48 CEST 2011
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
>

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Creating signature excluding part of string [ In reply to ]

tkojm at clamav

Aug 26, 2011, 1:36 PM

Post #4 of 4 (1700 views)

Permalink

On Fri, 26 Aug 2011 16:47:00 +0200 Asle Skage <asle.skage@online.no> wrote:
> Thank you!
> That worked as expected.

You're welcome! Glad to hear it worked for you.

> The same story: Reading the manual more thoroughly cold have told me
> the same!

;-)

--
oo ..... Tomasz Kojm <tkojm@clamav.net>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Fri Aug 26 22:34:21 CEST 2011
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net