[clamav-users] human friendly signatures

Steve Basford steveb_clamav at sanesecurity.com
Wed Mar 16 22:18:09 UTC 2022 

On 16 March 2022 22:16:05 Eric Tykwinski <eric-list at truenet.com> wrote:
> Steve,
>
> I like the idea, but why the hex; hex?
> Just thinking about my recent issues with direct deposit phishing emails 
> from gmail.com and they are written probably by people, so I can’t really 
> hash it, and have to regex it.



>
>
>> On Mar 16, 2022, at 5:10 PM, Steve Basford <steveb_clamav at sanesecurity.com> 
>> wrote:
>>
>> On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" 
>> <clamav-users at lists.clamav.net> wrote:
>>> yara rule loading logic works right now.
>>>
>>>
>>>> (3) a way to specify that a rule is to match in
>>>>     (a) mail headers only or
>>>>     (b) mail body only or
>>>>     (c) both;
>> Just a random early thought... could .ldb be extended... by reading the 
>> whole message processing  as normal... but if its a header line mark as h, 
>> body with a b...
>>
>>
>> So if the ldb could be extended with h/b... you could still use the normal 
>> ldb logic...
>>
>>
>> Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex
>>
>>
>> Test;Engine:81-255,Target:0;(b0);
>>
>> h=headers only line
>> b=body only line
>>
>> So h0 hex will only match if its a header line
>> So b0 hex will only matt h if its a body line
>> Sorry for the formatting.. on mobile.
>>
>>
>> Cheers,
>>
>> Steve
>> Twitter: @sanesecurity
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers,

Steve
Twitter: @sanesecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220316/cef21bc6/attachment.htm>

More information about the clamav-users mailing list