> -----Original Message-----
> > > The rate of false positives is wholly dependent on the strings
that
> > > you are replacing with wildcards.
> > >
> > > As an example, when generating signatures to identify phishing
> > > content (say, content targeting bank customers), I wanted to be
> able
> > > to strip out 'http://' (687474703a2f2f) and 'https://'
> > > (68747470733a2f2f) from the hex dump (generated by sigtool) and
> > > replacing them with {7-8} (aka WILDCARD LENGTH 7 - 8) because I
> > > don't care if the protocol in the phishing content is http or
> https.
> > > This would remove 9 - 11 characters with each replacement,
allowing
> > > me to fit more of the hex dump into the result signature which is
> > > limited to ~8k characters (including name, file type, and offset).
> >
> > I think he meant that {7-8}facebook.com matches,
> >
> > * http://facebook.com
> > * https://facebook.com
> > * i go to facebook.com
> > * visit facebook.com
> > * ...
> >
> > Whether or not that's a problem depends on context. I guess <a
> href="i
> > go to facebook.com"> is not so bad, but false positives are almost
by
> > definition unintended consequences so I'd be careful.
>
> Are you hitting the maximum signature length of 8192? I suppose in
that
> case if you are trying to make room, then you intend to offset (pun
> intended) the loss of precision in one part of the expression by being
> more precise elsewhere with the extra bytes you could use elsewhere in
> the sig.
> It sounds like a reasonable tradeoff to consider if your signature has
> reached the limit, but I know of no tool or script to do it for you.
Exactly. Some of the phishing content that I'm finding is resulting in
hex dumps in the 10k+ character range and I think it's more dangerous to
replace sections with '*' than to replace certain substrings with
specific length wildcards.
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
