Sorry, still drinking my morning coffee.
The "easy" fix I suggested is probably terrible. I imagine it's totally fine
to have 0-prefixed numbers ( eg AA-GG-0123 ). We'll definitely have to get
away from sscanf() for the fix.
Micah
On 9/30/19, 11:49 AM, "clamav-users on behalf of Micah Snyder (micasnyd) via
clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
Hi Wagde,
It looks like you've found a bug. The SSN detection logic is hardcoded,
here:
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/libclamav/dlp.c#L295
As you can see, it looks for sequences in the form "%3d-%2d-%4d" or
"%3d%2d%4d" using sscanf(), and then validates that each of the area, group,
and serial numbers are valid. I'm looking at this code for the first time, but
have reproduced the issue you described. It makes sense. The %4d specifies
the maximum amount of digits, not a specific amount of digits.
The easy fix would be to make sure that Area >= 100, Group >= 10, and
Serial >= 1000 -- though as per the comments it seems like sscanf() is an
inefficient choice for the implementation.
To fix the issue we'll have to fix the code in a patch release, maybe
0.102.1. I have made this bug report to track the issue:
https://bugzilla.clamav.net/show_bug.cgi?id=12407
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On 9/28/19, 7:19 PM, "clamav-users on behalf of Wagde Zabit via
clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of
clamav-users@lists.clamav.net> wrote:
I keep getting false positives on SSN in a log file full of IP
addresses.
For some reason clamav detect the 172-31-19-5 as a SSN although it’s
not (AAA-GG-SSSS)
./bin/clamdscan ~/ssn.txt
/home/ubuntu/ssn.txt: Heuristics.Structured.SSN FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.000 sec (0 m 0 s)
cat ~/ssn.txt
172-31-19-5
172-31-19-5
172-31-19-5
172-31-19-5
172-31-19-5
./bin/clamdscan --version
ClamAV 0.101.2/25579/Sat Sep 21 08:23:44 2019
Is there a way to change the exisintg SSN signature?
Is there a way to write a new signature like: ^((?!000)(?!666)\d{3})([
-])?((?!00)\d{2})([ -])?((?!0000)\d{4})$ to get better results?
Thanx
Wagde
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
