Srinivasan Krishnan wrote:
> Hi all,
>
> I've been frantically grazing through the ClamAV mail archives and been
> Googling to find out how to make regex work with pdb (phishing database)
> files. I'm using ClamAV version 0.93 on Linux platform.
>
> I was reading the phishsigs_howto.pdf included in the ClamAV tarball.
>
> My custom domainlist test.pdb contains:
> ---
> R:.+\.paypal\.com:.+\.yahoo\.com---
>
> The email file which I need to scan is:
> ---
> Subject: test mail
> Content-Type: text/html
>
> <html>
> Click here
> <a href="paypal.com">yahoo.com</a>
> </html>
> ---
>
> But somehow ClamAV doesn't detect the mail as virus. In contrast, if I use
> "H:yahoo.com" in test.pdb, the mail is detected as virus under
> Phishing.SpoofedDomain.
>
> As a sidenote, I've also tried "R .+ .+\.paypal\.com" as an entry in the
> test.pdb (as the phishsigs_howto.pdf) document says. But it is of no use.
>
> Can someone please enlighten me why this wouldn't work?
We use regular expression only for the whitelist.
What you are trying to do will work, if you apply the patch below and
use this:
R:.*yahoo\.com.*
However using regular expressions for the domainlist is not useful,
since it is a lot easier to just list a domain/subdomain,
and unlike with the whitelist only one of the URLs is matched (the
displayed URL, in your case yahoo.com).
Why do you need regular expressions for the domainlist?
--- /home/edwin/clam/svn3/trunk/libclamav/regex_list.c (revision 3891)
+++ /home/edwin/clam/svn3/trunk/libclamav/regex_list.c (working copy)
@@ -605,7 +605,7 @@
}
if((buffer[0] == 'R' && !is_whitelist) || ((buffer[0] ==
'X' || buffer[0] == 'Y') && is_whitelist)) {/*regex*/
- if(( rc = add_pattern(matcher,(const unsigned
char*)pattern,flags, buffer[0] == 'Y') ))
+ if(( rc = add_pattern(matcher,(const unsigned
char*)pattern,flags, buffer[0] == 'Y' || buffer[0]=='R') ))
return rc==CL_EMEM ? CL_EMEM : CL_EMALFDB;
}
else if( ( buffer[0] == 'H' && !is_whitelist) ||
(buffer[0] == 'M' && is_whitelist)) {/*matches displayed host*/
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
