[clamav-users] clamav 0.99 beta yara
Steve Basford
steveb_clamav at sanesecurity.com
Thu Jun 25 07:22:01 UTC 2015
Couple of pre-coffee questions...
1)
>From what I can tell Yara signature names will be generated based on
the yara rule name provided...
eg:
testname.yara:
rule Sanesecurity.test
{
strings:
$match1 = "test"
$ignore1 = "this1"
$ignore2 = "this2"
condition:
$match1 and not ($ignore1 or $ignore2)
}
So, if it matched the name will be: Sanesecurity.test.UNOFFICIAL
Would it be a good idea if ClamAV engine *auto-added* .Yara or _Yara to the
end/beginning of Yara signatures to help end-users work out if it's a
normal ClamAV database or a Yara rule:
Eg: Sanesecurity.test.Yara.UNOFFICIAL
2) I take it Yara signatures can be whitelisted using .ign2 etc.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
More information about the clamav-users
mailing list