On 16 March 2022 22:16:05 Eric Tykwinski <eric-list@truenet.com> wrote:

Steve,

I like the idea, but why the hex; hex?
Just thinking about my recent issues with direct deposit phishing emails from gmail.com and they are written probably by people, so I can’t really hash it, and have to regex it.

On Mar 16, 2022, at 5:10 PM, Steve Basford <steveb_clamav@sanesecurity.com> wrote:

On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:
yara rule loading logic works right now.

> (3) a way to specify that a rule is to match in
>     (a) mail headers only or
>     (b) mail body only or
>     (c) both;

Just a random early thought... could .ldb be extended... by reading the whole message processing as normal... but if its a header line mark as h, body with a b...

So if the ldb could be extended with h/b... you could still use the normal ldb logic...

Test;Engine:81-255,Target:0;(h0&b0=0);hex;hex

Test;Engine:81-255,Target:0;(b0);

h=headers only line
b=body only line

So h0 hex will only match if its a header line
So b0 hex will only matt h if its a body line
Sorry for the formatting.. on mobile.

Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list

clamav-users@lists.clamav.net

https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:

https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Cheers,

Steve

Twitter: @sanesecurity