[clamav-users] human friendly signatures
Steve Basford
steveb_clamav at sanesecurity.com
Wed Mar 16 21:10:22 UTC 2022
On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users"
<clamav-users at lists.clamav.net> wrote:
> yara rule loading logic works right now.
>
>
>> (3) a way to specify that a rule is to match in
>> (a) mail headers only or
>> (b) mail body only or
>> (c) both;
Just a random early thought... could .ldb be extended... by reading the
whole message processing as normal... but if its a header line mark as h,
body with a b...
So if the ldb could be extended with h/b... you could still use the normal
ldb logic...
Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex
Test;Engine:81-255,Target:0;(b0);
h=headers only line
b=body only line
So h0 hex will only match if its a header line
So b0 hex will only matt h if its a body line
Sorry for the formatting.. on mobile.
Cheers,
Steve
Twitter: @sanesecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220316/71713fe8/attachment.htm>
More information about the clamav-users
mailing list