Browse code
Changelog entry and doc for alternative string wildcards in signatures.
Steven Morgan authored on 2013/12/03 07:04:09Showing 2 changed files
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Mon Dec 2 15:55:24 2013 EDT 2013 (morgan) |
|
| 2 |
+------------------------------------ |
|
| 3 |
+ * bb#9491 Support wildcard alternate strings of identical length in Aho-Corasick pattern matcher. |
|
| 4 |
+ |
|
| 1 | 5 |
Fri Nov 8 17:08:09 2013 EDT 2013 (morgan) |
| 2 | 6 |
------------------------------------ |
| 3 | 7 |
* Add ForceToDisk option for clamd and force-to-disk arg for clamscan |
| ... | ... |
@@ -203,7 +203,9 @@ attachment.exe: OK |
| 203 | 203 |
|
| 204 | 204 |
\subsection{Hash-based signatures}
|
| 205 | 205 |
The easiest way to create signatures for ClamAV is to use filehash checksums, |
| 206 |
- however this method can be only used against static malware. To create a |
|
| 206 |
+ however this method can be only used against static malware. |
|
| 207 |
+ \subsubsection{MD5 hash-based signatures}
|
|
| 208 |
+ To create a |
|
| 207 | 209 |
MD5 signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool: |
| 208 | 210 |
\begin{verbatim}
|
| 209 | 211 |
zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb |
| ... | ... |
@@ -238,7 +240,7 @@ Time: 0.024 sec (0 m 0 s) |
| 238 | 238 |
left in /tmp. Please keep in mind that a hash signature will stop |
| 239 | 239 |
matching as soon as a single byte changes in the target file.} |
| 240 | 240 |
|
| 241 |
- \subsection{SHA1, SHA256}
|
|
| 241 |
+ \subsubsection{SHA1 and SHA256 hash-based signatures}
|
|
| 242 | 242 |
ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums. |
| 243 | 243 |
The format is the same as for MD5 file checksum. |
| 244 | 244 |
It can differentiate between them based on the length of the hash string |
| ... | ... |
@@ -248,7 +250,7 @@ Time: 0.024 sec (0 m 0 s) |
| 248 | 248 |
HashString:FileSize:MalwareName |
| 249 | 249 |
\end{verbatim}
|
| 250 | 250 |
|
| 251 |
- \subsection{PE section based}
|
|
| 251 |
+ \subsubsection{PE section based hash signatures}
|
|
| 252 | 252 |
You can create a hash signature for a specific section in a PE file. |
| 253 | 253 |
Such signatures shall be stored inside \verb+.mdb+ files in the |
| 254 | 254 |
following format: |
| ... | ... |
@@ -265,7 +267,7 @@ PESectionSize:PESectionHash:MalwareName |
| 265 | 265 |
in the signature. For best backwards compatibility, these should be |
| 266 | 266 |
placed inside a \verb+*.msb+ file. |
| 267 | 267 |
|
| 268 |
- \subsection{Unknown size}
|
|
| 268 |
+ \subsubsection{Hash signatures with unknown size}
|
|
| 269 | 269 |
ClamAV 0.98 has also added support for hash signatures where the size |
| 270 | 270 |
is not known but the hash is. It is much more performance-efficient to |
| 271 | 271 |
use signatures with specific sizes, so be cautious when using this |
| ... | ... |
@@ -323,6 +325,11 @@ How do I look in hex? |
| 323 | 323 |
Match aa or bb or cc.. |
| 324 | 324 |
\item \verb+!(aa|bb|cc|..)+\\ |
| 325 | 325 |
Match any byte except aa and bb and cc.. (ClamAV$\ge$0.96) |
| 326 |
+ \item \verb+(aaaa|bbbb|cccc|..)+\\ |
|
| 327 |
+ Match alternative strings aaaa or bbbb or cccc. Alternative strings must have identical lengths. |
|
| 328 |
+ \item \verb+!(aaaa|bbbb|cccc|..)+\\ |
|
| 329 |
+ Match any string except aaaa and bbbb and cccc. Alternative strings must have identical lengths. |
|
| 330 |
+ (ClamAV$\ge$0.98.2) |
|
| 326 | 331 |
\item \verb+HEXSIG[x-y]aa+ or \verb+aa[x-y]HEXSIG+\\ |
| 327 | 332 |
Match aa anchored to a hex-signature, see |
| 328 | 333 |
\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=776} for
|