Erik Corry wrote:
On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
>
> How about:
>
>
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(25323c|2c)
Sheesh, this sig making stuff isn't as simple as it looks :-)
That didn't work well at all!
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(253645|6e)(253633|63)
Bingo, matches every variant.
I believe adding a match for e.g. <=((?+1)%??-1);> and possible
<document.write> (remove: < and >) would make it more FP safe.
Works for all variants that I have seen, but also catches any html file with
unescape ("func
without the space. Right now I think I can live with that.
Does the * wildcard have a limit to how many characters it will look
ahead?
No - IFAIK.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
