> -----Original Message-----
> > Some of the phishing content that I'm finding is resulting in hex
> > dumps in the 10k+ character range and I think it's more dangerous to
> > replace sections with '*' than to replace certain substrings with
> > specific length wildcards.
>
> Please would someone explain to me the use of "{7-8}"? I do not
> recognize it as valid regular expression syntax.
>
> According to the current ClamAV documentation (15 May 2012) repeat
> character counts are not supported:
>
> http://www.clamav.net/doc/latest/phishsigs_howto.pdf
I see where your confusion comes from. I'm not generating pdb
signatures. I'm generating ndb signatures via 'sigtool --hex-dump' on
the normalized output from clamscan --debug --leave-temps <filename>.
In the ndb file, {7-8} matches any 7 or 8 character string.
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
