[clamav-users] Yara and base64 encoded body
kionez
kionez at anche.no
Wed Jul 27 08:55:23 UTC 2016
#include <Steve basford.h> // created 27/07/2016 10:28
[cut]
> I seem to remember hitting that issue.
I wrote something similar in 13/04 [1] (and here's the patch result [2])
but this request is "different".
I want (if it is possibile, obiuvsly ;) ) to run yara on entire message,
using rules which match both headers and body. With clamav patched I can
run my rules and detect unwanted message matching regexp on both header
and body part.
But lately those spammers starts to encode their body part in base64,
making my rules useless, because my regex match "decoded" strings (i.e.:
plain words).
Clamav run yara\pcre on original message (header+body encoded) and then
run rules on every decoded part but without header.
I admit that is a strange question, but maybe someone has a trick which
helps me:)
k.
1: http://lists.clamav.net/pipermail/clamav-users/2016-April/002782.html
2: https://bugzilla.clamav.net/show_bug.cgi?id=11552
More information about the clamav-users
mailing list