[clamav-users] FP in structured SSN

Micah Snyder (micasnyd) micasnyd at cisco.com
Mon Sep 30 15:57:46 UTC 2019 

Sorry, still drinking my morning coffee.  

The "easy" fix I suggested is probably terrible.  I imagine it's totally fine to have 0-prefixed numbers ( eg AA-GG-0123 ).  We'll definitely have to get away from sscanf() for the fix. 

Micah

On 9/30/19, 11:49 AM, "clamav-users on behalf of Micah Snyder (micasnyd) via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    Hi Wagde,
    
    It looks like you've found a bug.  The SSN detection logic is hardcoded, here: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/libclamav/dlp.c#L295
    
    As you can see, it looks for sequences in the form "%3d-%2d-%4d" or "%3d%2d%4d" using sscanf(), and then validates that each of the area, group, and serial numbers are valid.  I'm looking at this code for the first time, but have reproduced the issue you described.  It makes sense.  The %4d specifies the maximum amount of digits, not a specific amount of digits. 
    
    The easy fix would be to make sure that Area >= 100, Group >= 10, and Serial >= 1000 -- though as per the comments it seems like sscanf() is an inefficient choice for the implementation.  
    
    To fix the issue we'll have to fix the code in a patch release, maybe 0.102.1.  I have made this bug report to track the issue: https://bugzilla.clamav.net/show_bug.cgi?id=12407
    
    Regards,
    Micah
    
    
    Micah Snyder
    ClamAV Development
    Talos
    Cisco Systems, Inc.
     
    
    
    
    
    On 9/28/19, 7:19 PM, "clamav-users on behalf of Wagde Zabit via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
    
        I keep getting false positives on SSN in a log file full of IP addresses.
        
        For some reason clamav detect the 172-31-19-5 as a SSN although it’s not (AAA-GG-SSSS)
        
        ./bin/clamdscan ~/ssn.txt
        /home/ubuntu/ssn.txt: Heuristics.Structured.SSN FOUND
        
        ----------- SCAN SUMMARY -----------
        Infected files: 1
        Time: 0.000 sec (0 m 0 s)
        
        cat ~/ssn.txt
        172-31-19-5
        172-31-19-5
        172-31-19-5
        172-31-19-5
        172-31-19-5
        
        ./bin/clamdscan --version
        ClamAV 0.101.2/25579/Sat Sep 21 08:23:44 2019
        
        
        Is there a way to change the exisintg SSN signature?
        Is there a way to write a new signature like: ^((?!000)(?!666)\d{3})([ -])?((?!00)\d{2})([ -])?((?!0000)\d{4})$ to get better results?
        
        Thanx
        Wagde
        
        _______________________________________________
        
        clamav-users mailing list
        clamav-users at lists.clamav.net
        https://lists.clamav.net/mailman/listinfo/clamav-users
        
        
        Help us build a comprehensive ClamAV guide:
        https://github.com/vrtadmin/clamav-faq
        
        http://www.clamav.net/contact.html#ml
        
    
    
    _______________________________________________
    
    clamav-users mailing list
    clamav-users at lists.clamav.net
    https://lists.clamav.net/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list