Hi there, On Wed, 29 Aug 2012, Maarten Broekman wrote:
Does anyone know of a tool that would take strings in a hex signature and turn them into appropriate wildcards? For instance, I want to strip out all the "http://"; and "https://"; and replace them with {7-8}
Your suggested replacement does not make sense to me.
to reduce the size of the signature and get more 'useful' strings in the signature? There are other strings as well so it's not just a I've been using sed but it's a little unwieldy and more than occasionally requires manual treatment afterwards.
There seems to be at least one piece missing from that last sentence. Of course there's always Perl... :) Despite the statement of your objective it isn't clear to me what you think you're going to achieve. My expectation would be a very large increase in the false positive rates if you attempt to use signatures modified in the way you describe. Can you be more specific? Define 'appropriate' and 'useful' in this context for example. If you are just looking for the 'names' of the viruses then forget it, there is no common naming scheme which is globally accepted. Individuals and organizations pick names as they find new threats, and within a very short time of their first appearance it is common for threats to be given a few different names by several anti-virus product suppliers. Generating signatures for scanning for malicious software is not a simple task, and there is considerable literature available on it. http://www.google.com/#hl=en&output=search&q=generating+virus+signatures -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
