[clamav-users] Yara and base64 encoded body
Steve basford
steveb_clamav at sanesecurity.com
Wed Jul 27 08:28:10 UTC 2016
Hi,
If it helps, could you email the YARA rule and test email offlist and I'll
have a quick look.
I seem to remember hitting that issue.
Cheers,
Steve
Web: sanesecurity.com
Twitter: @sanesecurity
On 27 July 2016 08:35:53 kionez <kionez at anche.no> wrote:
> Hi all,
>
> I'm using custom Yara rules to detect many kind of spam directed to my
> customers, it's very effective and gives me many ways to intercept
> localized messages (i.e.: spam in italian and french).
>
> Lately those spammers are using base64 encoding in Subject: and body
> part, making ineffective my rules.
>
> I need to match some headers and the body part, because i don't want to
> generate false positives.
>
> I do some tests and i think that clamav is using this yara\pcre engine
> only on the "original" message and then in every single message part
> (excluding the mail headers), so if I want to run my rules on the
> decoded body I have to give up on headers check and vice-versa (due the
> base64 encoded body on original message).
>
> Is there a way to decode the original message before scan, or something
> which permits to run the yara engine on decoded message?
>
> (I'm also RTFM'ing in amavisd-new, maybe with a custom filter...)
>
> Thanks.
>
>
> k.
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list