Re: [clamav-users] Generating signatures for malware

Wed, 29 Aug 2012 08:24:29 -0700 

On Wed, Aug 29, 2012 at 10:29 AM, Michael Orlitzky <mich...@orlitzky.com>wrote:

> On 08/29/2012 09:46 AM, Maarten Broekman wrote:
> >> -----Original Message-----
> >> Despite the statement of your objective it isn't clear to me what you
> >> think you're going to achieve.  My expectation would be a very large
> >> increase in the false positive rates if you attempt to use signatures
> >> modified in the way you describe.  Can you be more specific?  Define
> >> 'appropriate' and 'useful' in this context for example.
> >
> > The rate of false positives is wholly dependent on the strings that you
> > are replacing with wildcards.
> >
> > As an example, when generating signatures to identify phishing content
> > (say, content targeting bank customers), I wanted to be able to strip
> > out 'http://' (687474703a2f2f) and 'https://' (68747470733a2f2f) from
> > the hex dump (generated by sigtool) and replacing them with {7-8}  (aka
> > WILDCARD LENGTH 7 - 8) because I don't care if the protocol in the
> > phishing content is http or https.  This would remove 9 - 11 characters
> > with each replacement, allowing me to fit more of the hex dump into the
> > result signature which is limited to ~8k characters (including name,
> > file type, and offset).
>
> I think he meant that {7-8}facebook.com matches,
>
>  * http://facebook.com
>  * https://facebook.com
>  * i go to facebook.com
>  *  visit facebook.com
>  * ...
>
> Whether or not that's a problem depends on context. I guess <a href="i
> go to facebook.com"> is not so bad, but false positives are almost by
> definition unintended consequences so I'd be careful.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

Are you hitting the maximum signature length of 8192? I suppose in that
case if you are trying to make room, then you intend to offset (pun
intended) the loss of precision in one part of the expression by being more
precise elsewhere with the extra bytes you could use elsewhere in the sig.
It sounds like a reasonable tradeoff to consider if your signature has
reached the limit, but I know of no tool or script to do it for you.

Dave R.

-- 
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to