[Community-sigs] can't make custom signature of URL work
patpro at patpro.net
patpro at patpro.net
Wed Sep 2 02:41:57 EDT 2015
Hello,
After some online research, I've created my first custom signature file. The purpose is to block few URLs used in many phishing attempts (mostly free online form hosting).
Unfortunately, when I test this ndb file against real email, nothing is detected.
my file:
$ cat ~/phish-ul2.ndb
PHISH.UL2.formstack:0:*:666f726d737461636b2e636f6d2f0a
PHISH.UL2.weebly:0:*:2e776565626c792e636f6d0a
PHISH.UL2.jimdo:0:*:2e6a696d646f2e636f6d2f0a
PHISH.UL2.qualtrics:0:*:2e7175616c74726963732e636f6d2f0a
$ grep jimdo ~/phish-ul2.ndb|sigtool --decode-sigs
VIRUS NAME: PHISH.UL2.jimdo
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
.jimdo.com/
my test:
$ grep jimdo /tmp/test.mbox
http://courrier-reglage.jimdo.com/ NB: Le d=C3=A9faut pour tout utilisateu=
ext-decoration: underline;"><a href=3D"http://courrier-reglage.jimdo.com/" =
r-reglage.jimdo.com/" data-mce-style=3D"color: #1155cc;">http://courrier-re=
glage.jimdo.<wbr>com/</a></span></span><br data-mce-bogus=3D"1"></div><div>=
$ clamscan -d ~/phish-ul2.ndb /tmp/test.mbox
/tmp/test.mbox: OK
----------- SCAN SUMMARY -----------
Known viruses: 4
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.50:1)
Time: 0.008 sec (0 m 0 s)
I've made more tests with:
PHISH.UL2.formstack:0:*:(2e|2f|40|20|3c|5f)666f726d737461636b2e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
PHISH.UL2.weebly:0:*:(2e|2f|40|20|3c|5f)2e776565626c792e636f6d0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
PHISH.UL2.jimdo:0:*:(2e|2f|40|20|3c|5f)2e6a696d646f2e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
PHISH.UL2.qualtrics:0:*:(2e|2f|40|20|3c|5f)2e7175616c74726963732e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
but results were the same.
I can't find what is wrong with my ndb file. Any help appreciated.
patpro
More information about the Community-sigs
mailing list