[clamav-users] FilenameRegex and backreferences

demonduck demonduck at sourcefire.com
Thu Jul 6 12:41:58 UTC 2017 

kionez,

Unfortunately the Regex engine (
https://github.com/vrtadmin/clamav-devel/blob/631f3e1165ed518a99e0f12f1a02a345feb2aea9/libclamav/regex/regexec.c)
for container metadata signatures (CDB) does not leverage the same engine
(PCRE) as LDB signatures. CDB signatures use the OpenBSD's libc/regex,
which does not support many regex features supported in PCRE v6 or v7.

I've bypassed this by converting my CDB to a LDB with a PCRE.

CDB:
TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*

Would become LDB (something like):
TEST.TestFilename.002;Engine:81-255,Target:0;0&1;0:504B;2,200:0/(?P<name>[a-z]{8,12})(?P=name)\.exe/e

You may want to increase the max shift. This example only works since Zip
archives store filenames near the Zip file magic. Also, I've used the
(?P<var>) and (?P=var) notation since it works for both PCRE v6 and v7.
Certain capture group notations only work with PCRE v7 (this may be
something to keep in mind).

I hope this helps,
demonduck

On Thu, Jul 6, 2017 at 6:41 AM, Al Varnell <alvarnell at mac.com> wrote:

> Have you used this Regular Expressions Tutorial?
> <http://www.regular-expressions.info/tutorial.html>
>
> -Al-
>
> On Thu, Jul 06, 2017 at 03:31 AM, kionez wrote:
> >
> > Hi all,
> >
> > I wonder how I can use a backreference FilenameRegex in signatures
> > based on container metadata. I read the manual (signatures.pdf), peeked
> > into other rules (Sanesecurity) and some RTFM for OpenBSD regex without
> > success.
> >
> > I would like to intercept some recurrent pattern in filenames, for
> > example (i want to match testtest.txt):
> >
> > TEST.TestFilename.001:CL_TYPE_ZIP:*:(test)\1.txt:*:*:*:*:*:*
> >
> > And, more "reallity-wise", i want to match filename inside a directory,
> > where dir and file name are the same: PATTERN/PATTERN.exe with something
> > like:
> >
> > TEST.TestFilename.002:CL_TYPE_ZIP:*:([a-z]{8,12})/\1\.exe:*:*:*:*:*:*
> >
> > But i can't find a way to make it work as expected.. there is someone
> > who can help me? :)
> >
> > Thanks in advance,
> >
> > k.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list