[Community-sigs] can't make custom signature of URL work

Joel Esler (jesler) jesler at cisco.com
Wed Sep 2 06:42:05 EDT 2015 

Remove the "0a" from the end of your sigs

--
Joel Esler
Manager, Threat Intelligence and Open Source
Talos Group
Sent from my iPhone

On Sep 2, 2015, at 2:42 AM, "patpro at patpro.net<mailto:patpro at patpro.net>" <patpro at patpro.net<mailto:patpro at patpro.net>> wrote:

Hello,

After some online research, I've created my first custom signature file. The purpose is to block few URLs used in many phishing attempts (mostly free online form hosting).
Unfortunately, when I test this ndb file against real email, nothing is detected.

my file:
   $ cat ~/phish-ul2.ndb
   PHISH.UL2.formstack:0:*:666f726d737461636b2e636f6d2f0a
   PHISH.UL2.weebly:0:*:2e776565626c792e636f6d0a
   PHISH.UL2.jimdo:0:*:2e6a696d646f2e636f6d2f0a
   PHISH.UL2.qualtrics:0:*:2e7175616c74726963732e636f6d2f0a


   $ grep jimdo  ~/phish-ul2.ndb|sigtool --decode-sigs
   VIRUS NAME: PHISH.UL2.jimdo
   TARGET TYPE: ANY FILE
   OFFSET: *
   DECODED SIGNATURE:
   .jimdo.com/<http://jimdo.com/>

my test:
   $ grep jimdo  /tmp/test.mbox
    http://courrier-reglage.jimdo.com/ NB: Le d=C3=A9faut pour tout utilisateu=
   ext-decoration: underline;"><a href=3D"http://courrier-reglage.jimdo.com/" =
   r-reglage.jimdo.com/<http://r-reglage.jimdo.com/>" data-mce-style=3D"color: #1155cc;">http://courrier-re=
   glage.jimdo.<wbr>com/</a></span></span><br data-mce-bogus=3D"1"></div><div>=

   $ clamscan -d ~/phish-ul2.ndb /tmp/test.mbox
   /tmp/test.mbox: OK

   ----------- SCAN SUMMARY -----------
   Known viruses: 4
   Engine version: 0.98.7
   Scanned directories: 0
   Scanned files: 1
   Infected files: 0
   Data scanned: 0.01 MB
   Data read: 0.01 MB (ratio 1.50:1)
   Time: 0.008 sec (0 m 0 s)

I've made more tests with:
   PHISH.UL2.formstack:0:*:(2e|2f|40|20|3c|5f)666f726d737461636b2e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
   PHISH.UL2.weebly:0:*:(2e|2f|40|20|3c|5f)2e776565626c792e636f6d0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
   PHISH.UL2.jimdo:0:*:(2e|2f|40|20|3c|5f)2e6a696d646f2e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)
   PHISH.UL2.qualtrics:0:*:(2e|2f|40|20|3c|5f)2e7175616c74726963732e636f6d2f0a(27|22|20|2f|3d|5f|3e|0a|0d|3f|3c)

but results were the same.

I can't find what is wrong with my ndb file. Any help appreciated.

patpro
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net<mailto:Community-sigs at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs

http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list