Joel Esler (jesler) wrote: > Dave, > > Check out: > https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Unfortunately this document still leaves a number of questions, since it's quite easy to create a signature that looks to be valid but which ClamAV won't accept. And the specifics of what it won't accept have varied from version to version, and as far as I can tell are not clearly documented anywhere but the ClamAV source. For instance, I have regularly seen malware that I am trying to create a signature for, where I have a pattern of 1-3 alternating known and unknown (or small-set, eg ASCII numeric or [a-z]) bytes or byte groups. It is possible to generate a signature that should match this, but which won't be accepted by the engine. It has gotten less restrictive in recent versions but some types of pattern are still not supported. -kgd > On Oct 26, 2016, at 8:45 AM, Dave McMurtrie > <dav...@andrew.cmu.edu<mailto:dav...@andrew.cmu.edu>> wrote: > > Hi, > > I know it exists, because I remember reading it before. However, I > can't find it now. I found the docs at > https://github.com/vrtadmin/clamav-devel/tree/master/docs but I didn't > find what I was looking for there. > > Specifically, I'm looking for information on using pattern matching or > regexes in an ndb signature. I'd like to come up with a signature that > will match any email body that contains a URL in the .top domain. > > Thanks! > > Dave > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
