[clamav-users] Matching variant patterns in logical or Yara signatures

Kris Deugau kdeugau at vianet.ca
Mon Jan 15 19:36:58 UTC 2018


I'm trying to create signatures to match a particular series of large to 
very large spams whose main identifier is a <style> or <script> tag 
containing neither CSS or Javascript.

However, I'm having trouble finding a valid signature string for this 
pattern.  I've tried to create similar signatures for other patterns in 
the past with equally little success.

The general case is <fixed string><limited-character-set gibberish>, 
with the fixed string about 10 characters, and the gibberish I want to 
match out to ~100 characters.

I'd just create a rule in SpamAssassin, but the problem is that these 
are *huge*, in some cases - 4+MB of nothing but symbols following 
<style>, for instance.  Processing even ~200K versions of huge messages 
like that is far too costly in SA.

I don't really want to just create a whole bunch of extended signatures 
(.ndb) for common prefixes.

In PCRE, what I want a Clam signature to match on looks like:

/some string[asrtyu]{100}/

for suitable variations on "some string" and the character set "asrtyu".

Is this possible?

-kgd



More information about the clamav-users mailing list