On Thu, Dec 23, 2010 at 11:28:31PM +0200, Török Edwin wrote: > On 2010-12-23 23:20, Bill Landry wrote: > > On 12/20/2010 9:34 AM, Bill Landry wrote: > >> On 12/20/2010 2:04 AM, Tomasz Kojm wrote: > >>> On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landry<[email protected]> wrote: > >>>> I've been doing some testing with some of the new signature wildcards, > >>>> in particular: > >>>> > >>>> ? (B) > >>>> Match word boundary (including file boundaries). > >>>> ? (L) > >>>> Match CR, CRLF or file boundaries. > >>>> > >>>> I've found that both of these wildcards work when used singularly in > >>>> any > >>>> of the following combinations: > >>>> > >>>> SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B) > >>>> SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L) > >>>> SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L) > >>>> SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B) > >>>> > >>>> However, I would like to combine them on both sides of the hex > >>>> signature, but none of the following combinations work without causing > >>>> errors: > >>>> > >>>> SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L) > >>>> SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L) > >>>> SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L)) > >>>> > >>>> Is there a way to combine these two wildcards into a single hex > >>>> signature so that it can detect any of the following combinations in an > >>>> email message: > >>> > >>> Hi Bill, > >>> > >>> the word boundary (B) also acts as a line marker (L), so there's no need > >>> for using both of them at the same time. > >> > >> Yes, but the (B)...(B) boundary does not work without using the > >> (L)...(B) boundary in these two scenarios: > >> > >> beginning of line CR, CRLF boundary and word boundary (L)...(B): > >> ================================================================ > >> This is > >> example.com test message. > >> > >> beginning and end of line CR, CRLF boundary (L)...(L): > >> ====================================================== > >> This is > >> example.com > >> test message. > >> === > >> > >> where the domain name starts at the beginning of the line. It would work > >> work great with (B)...(B) if the (B) boundary supported beginning of > >> line detection: > >> > >> ^example.com > >> > >> Can this be added to the (B) boundary detection? > > (B)6578616d706c652e636f6d > > > Any further thoughts on this? > > This matches example.com at beginning of line, or at a word boundary: > Foo:0:*:(B)6578616d706c652e636f6d
===== cat test.mail ===== Return-Path: x Received: x Xxx example.com xxX ===================== Foo:4:*:(B)6578616d706c652e636f6d(B) test.mail: OK Foo:4:*:6578616d706c652e636f6d test.mail: Foo.UNOFFICIAL FOUND Foo:0:*:(B)6578616d706c652e636f6d(B) test.mail: Foo.UNOFFICIAL FOUND Obviously we want to match mail files here, seems there's a bug handling it. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
