> -----Original Message-----
> Despite the statement of your objective it isn't clear to me what you
> think you're going to achieve. My expectation would be a very large
> increase in the false positive rates if you attempt to use signatures
> modified in the way you describe. Can you be more specific? Define
> 'appropriate' and 'useful' in this context for example.
The rate of false positives is wholly dependent on the strings that you
are replacing with wildcards.
As an example, when generating signatures to identify phishing content
(say, content targeting bank customers), I wanted to be able to strip
out 'http://' (687474703a2f2f) and 'https://' (68747470733a2f2f) from
the hex dump (generated by sigtool) and replacing them with {7-8} (aka
WILDCARD LENGTH 7 - 8) because I don't care if the protocol in the
phishing content is http or https. This would remove 9 - 11 characters
with each replacement, allowing me to fit more of the hex dump into the
result signature which is limited to ~8k characters (including name,
file type, and offset).
Being able to replace these sorts of known strings automatically would
help speed the process of creating the signatures (which, as you
mentioned is a tough task as it is).
> If you are
> just looking for the 'names' of the viruses then forget it, there is
no
> common naming scheme which is globally accepted. Individuals and
> organizations pick names as they find new threats, and within a very
> short time of their first appearance it is common for threats to be
> given a few different names by several anti-virus product suppliers.
This has nothing to do with looking at the names of viruses. I'm only
concerned with looking at the output from sigtool --hex-dump and turning
it into a useful signature in a faster, more efficient manner.
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
