[clamav-users] Minor bug or working as intended?
Kris Deugau
kdeugau at vianet.ca
Wed Mar 2 15:27:19 UTC 2022
Micah Snyder (micasnyd) via clamav-users wrote:
> G.W. Haywood wrote:
>> Execution time will be important for scanning filesystems, less so for
>> scanning mail (at least for scanning low-volume mail) and readability
>> can be hugely important if you're writing a lot of rules. Perhaps we
>> should be asking the development team for readable LDB rules? :)
>
> Creating a new "human readable", or "human friendly", signature language
> is something that I've brought up many times this past 6 months in our
> team meetings. I think it's more feasible than trying to make Yara
> rules fully functional in ClamAV, or than trying to make our signatures
> look the same as Yara.
>
> I toyed a bit with using the KDL document language
> (https://github.com/kdl-org/kdl) as a base for a new format. My thought
> is it could be "compiled" or converted to more compact line of text
> prior to distribution, or unpacked/decompiled for readability as
> needed. I am hoping we can spend some time these next few months
> investigating it further, once 0.105 is out. With our Rust language
> integration working rather nicely these days, we should be able to
> leverage the language and library ecosystem for this effort making it
> far easier to implement than with C.
For some types of content, just allowing a plain ASCII string instead of
the hex-coded version of the same would be a big help. Or an
enhancement in the current file formats allowing embedded comments -
I've lost track of how many times I've created something complex, and
had to reconstruct whatever logic I used to create it to make a tweak or
refinement - or just gave up and created a new signature - because
there's no way to document it in-band. Ignoring empty lines -
especially at the end of the signature file! - instead of just claiming
"invalid signature" would ease editing.
> A disclaimer: This is purely brainstorming, and I have no idea if we
> would continue with the KDL idea or find something else. Here are some
> examples from my short time spent brainstorming this a few months back.
>
> // example logical signature
[snip]
TBH that looks almost identical to the Yara rule syntax at a quick look.
Hard to say whether it would be better to spend time spinning up yet
another signature format, or fixing edge cases in one that's already
present and in use.
-kgd
More information about the clamav-users
mailing list