[Clamav-devel] [Regular Expression] HEXSIG[x-y]aa

Kevin Lin klin at sourcefire.com
Mon Dec 8 12:37:41 EST 2014


The first key thing to note is ClamAV doesn't officially support regex
signatures outside of some limited support in phishing databases (*.pdb)
and whitelist databases (*.wdb). Extra details on those signature formats
can be referenced in the phishsigs_howto.pdf in the documentation directory
of the ClamAV source distribution or at
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf
.

The particular signature that is referenced in the bug report:
----
testsig:7:5:64[4-4]61616161{2}6262[3-6]65:27
----
is in the ClamAV extended signature format (*.ndb) using various types of
wildcards. The details on the extended signature format can be referenced
in the signatures.pdf in the documentation of the ClamAV source
distribution or at
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf.

In regards to the question proposed in comment #7 in bug report #776. The
short answer is both of the HexSIG "64676767676161616164646262626262636365"
and "64616161616161616169696262626262636365" match. This is because "
HEXSIG[x-y]aa" and "aa[x-y]HEXSIG" are a variant of ClamAV wildcards which
optimizes the search for a byte [aa] and a hex signature [HEXSIG] with x to
y bytes in between the byte and the hex signature.

In the testsig, there are two examples of this wildcard variant:
----
64[4-4]61616161
----
***search for the byte "64" followed by the hex sequence "61616161" with
exactly 4 arbitrary bytes in between.
----
6262[3-6]65
----
***search for the hex sequence "6262" followed by the byte "65" with 3 to 6
arbitrary bytes in between.

(Note that the "{2}" in between is another wildcard variant meaning to
match 2 arbitrary bytes.)

Thus the signature matches:
64[67676767]616161616{4646}2626[262626363]65
64[61616161]616161616{9696}2626[262626363]65

In both cases the [3-6] matches 4 arbitrary bytes.

I'll add this message to the bug report at
https://bugzilla.clamav.net/show_bug.cgi?id=776
<https://bugzilla.clamav.net/show_bug.cgi?id=776#add_comment>.

-Kevin

On Thu, Dec 4, 2014 at 9:35 PM, kimdien <kimdien at ampm.com.vn> wrote:

> Hi,
>
> My thesis is related with regex signatures in ClamAV database.
>
> I don't understand type HexSIG[x-y]aa or aa[x-y]HexSIG.
>
>
>
> In https://bugzilla.clamav.net/show_bug.cgi?id=776#add_comment, you use
>
> testsig:7:5:64[4-4]61616161{2}6262[3-6]65:27
>
>
>
> And test data(HexSIG):64616161616161616164646262626262636365 is match with
> testsig
>
> My question is:
>
> is HexSIG: "64676767676161616164646262626262636365" match?
>
> is HexSIG: "64616161616161616169696262626262636365" match?
>
> Please help me
>
> Best Regards
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-devel mailing list