Re: [clamav-users] FilenameRegex and backreferences

2017-07-07 Thread kionez
#include // created 06/07/2017 14:53 Many thanks demonduck!! [cut] > I'll try to convert my rule into LDB! after some RTFM i finally understand the LDB format, so I created my first two rules to detect malware obfuscated script in wsf\hta files. The attachment is a zip\rar archive, which co

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez
#include // created 06/07/2017 14:41 Hi demonduck, > Unfortunately the Regex engine (...) does not support many regex > features supported in PCRE v6 or v7. [cut] I was afraid of this, I'm digging in to source code of libclamav's regex to find the differences between original OpenBSD regex a

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread demonduck
kionez, Unfortunately the Regex engine ( https://github.com/vrtadmin/clamav-devel/blob/631f3e1165ed518a99e0f12f1a02a345feb2aea9/libclamav/regex/regexec.c) for container metadata signatures (CDB) does not leverage the same engine (PCRE) as LDB signatures. CDB signatures use the OpenBSD's libc/regex

Re: [clamav-users] FilenameRegex and backreferences

2017-07-06 Thread Al Varnell
Have you used this Regular Expressions Tutorial? -Al- On Thu, Jul 06, 2017 at 03:31 AM, kionez wrote: > > Hi all, > > I wonder how I can use a backreference FilenameRegex in signatures > based on container metadata. I read the manual (signatur

[clamav-users] FilenameRegex and backreferences

2017-07-06 Thread kionez
Hi all, I wonder how I can use a backreference FilenameRegex in signatures based on container metadata. I read the manual (signatures.pdf), peeked into other rules (Sanesecurity) and some RTFM for OpenBSD regex without success. I would like to intercept some recurrent pattern in filenames, for ex