[clamav-users] human friendly signatures

[Eric Tykwinski]

Steve,

I like the idea, but why the hex; hex?
Just thinking about my recent issues with direct deposit phishing emails from gmail.com and they are written probably by people, so I can’t really hash it, and have to regex it.

> On Mar 16, 2022, at 5:10 PM, Steve Basford <steveb_clamav at sanesecurity.com> wrote:
> 
> On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> 
>>  yara rule loading logic works right now.
>> 
>> > (3) a way to specify that a rule is to match in
>> >     (a) mail headers only or
>> >     (b) mail body only or
>> >     (c) both;
>> 
>> 
> 
> Just a random early thought... could .ldb be extended... by reading the whole message processing  as normal... but if its a header line mark as h, body with a b... 
> 
> So if the ldb could be extended with h/b... you could still use the normal ldb logic... 
> 
> Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex
> 
> Test;Engine:81-255,Target:0;(b0);
> 
> h=headers only line
> b=body only line
> 
> So h0 hex will only match if its a header line
> So b0 hex will only matt h if its a body line
> Sorry for the formatting.. on mobile.
> 
> Cheers,
> 
> Steve
> Twitter: @sanesecurity
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220316/3045a428/attachment.htm>