On 2010-12-23 23:20, Bill Landry wrote: > On 12/20/2010 9:34 AM, Bill Landry wrote: >> On 12/20/2010 2:04 AM, Tomasz Kojm wrote: >>> On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landry<[email protected]> wrote: >>>> I've been doing some testing with some of the new signature wildcards, >>>> in particular: >>>> >>>> • (B) >>>> Match word boundary (including file boundaries). >>>> • (L) >>>> Match CR, CRLF or file boundaries. >>>> >>>> I've found that both of these wildcards work when used singularly in >>>> any >>>> of the following combinations: >>>> >>>> SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B) >>>> SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L) >>>> SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L) >>>> SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B) >>>> >>>> However, I would like to combine them on both sides of the hex >>>> signature, but none of the following combinations work without causing >>>> errors: >>>> >>>> SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L) >>>> SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L) >>>> SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L)) >>>> >>>> Is there a way to combine these two wildcards into a single hex >>>> signature so that it can detect any of the following combinations in an >>>> email message: >>> >>> Hi Bill, >>> >>> the word boundary (B) also acts as a line marker (L), so there's no need >>> for using both of them at the same time. >> >> Yes, but the (B)...(B) boundary does not work without using the >> (L)...(B) boundary in these two scenarios: >> >> beginning of line CR, CRLF boundary and word boundary (L)...(B): >> ================================================================ >> This is >> example.com test message. >> >> beginning and end of line CR, CRLF boundary (L)...(L): >> ====================================================== >> This is >> example.com >> test message. >> === >> >> where the domain name starts at the beginning of the line. It would work >> work great with (B)...(B) if the (B) boundary supported beginning of >> line detection: >> >> ^example.com >> >> Can this be added to the (B) boundary detection? > (B)6578616d706c652e636f6d
> Any further thoughts on this? This matches example.com at beginning of line, or at a word boundary: Foo:0:*:(B)6578616d706c652e636f6d --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
