[clamav-users] Minor bug or working as intended?

[Kris Deugau]

Maarten Broekman via clamav-users wrote:
> There's not a lot that you can do in Yara rules that you can't do in LDB 
> sigs... for what it's worth, here's a logical sig that detects the same 
> thing as the Yara rules...
> 
> mbroekman at lothlorien:~$ grep MJB.JS.SendEmail 
> clamdb/javascript_sigs.ldb| sigtool --decode-sigs
> VIRUS NAME: MJB.JS.SendEmailFunc-0
> TDB: Engine:90-255,Target:0
> LOGICAL EXPRESSION: 0>3
>   * SUBSIG ID 0
>   +-> OFFSET: ANY
>   +-> SIGMOD: NOCASE
>   +-> DECODED SUBSIGNATURE:
> <script{WILDCARD_ANY_STRING(LENGTH<=1)}type="text/javascript">{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){
> 
> mbroekman at lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb
> MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i

*nods*  Thanks.  As it was I kept at it until I did actually have a full 
Yara signature that matched as intended working around the broken 
repetition condition with the hex string instead of the regex.

.ldb signatures could definitely use more expansive documentation;  the 
examples in the PDF are really pretty simple.  Earlier on I had also 
tripped over (among other things) what might be the correct syntax for 
multiple regex matches triggered by the same "hey, wake up!" 
subsignature.  (I'm not sure I understand why that's needed, it seems 
rather awkward.)

I'll have to remember to try {-1} more often.  This isn't the first time 
I've wanted to match a character that may not be there, although I also 
usually also want to restrict matching to a subset of characters, not 
"any byte" (which is why I reached for the regex match in both my 
attempts at an ldb signature, and in the Yara signature).

-kgd