Browse code
updated PCRE functionality documentation
Kevin Lin authored on 2015/02/06 01:30:26Showing 3 changed files
| ... | ... |
@@ -279,15 +279,15 @@ void help(void) |
| 279 | 279 |
mprintf(" --max-ziptypercg=#n Maximum size zip to type reanalyze\n");
|
| 280 | 280 |
mprintf(" --max-partitions=#n Maximum number of partitions in disk image to be scanned\n");
|
| 281 | 281 |
mprintf(" --max-iconspe=#n Maximum number of icons in PE file to be scanned\n");
|
| 282 |
- mprintf(" --enable-stats Enable statistical reporting of malware\n");
|
|
| 283 |
- mprintf(" --disable-pe-stats Disable submission of individual PE sections in stats submissions\n");
|
|
| 284 |
- mprintf(" --stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server\n");
|
|
| 285 |
- mprintf(" --stats-host-id=UUID Set the Host ID used when submitting statistical info.\n");
|
|
| 286 | 282 |
#if HAVE_PCRE |
| 287 | 283 |
mprintf(" --pcre-match-limit=#n Maximum calls to the PCRE match function.\n");
|
| 288 | 284 |
mprintf(" --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.\n");
|
| 289 |
- mprintf(" --pcre-max-filesize=#n Maximum size file to perform PCRE sunsig matching.\n");
|
|
| 285 |
+ mprintf(" --pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.\n");
|
|
| 290 | 286 |
#endif /* HAVE_PCRE */ |
| 287 |
+ mprintf(" --enable-stats Enable statistical reporting of malware\n");
|
|
| 288 |
+ mprintf(" --disable-pe-stats Disable submission of individual PE sections in stats submissions\n");
|
|
| 289 |
+ mprintf(" --stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server\n");
|
|
| 290 |
+ mprintf(" --stats-host-id=UUID Set the Host ID used when submitting statistical info.\n");
|
|
| 291 | 291 |
mprintf("\n");
|
| 292 | 292 |
mprintf("(*) Default scan settings\n");
|
| 293 | 293 |
mprintf("(**) Certain files (e.g. documents, archives, etc.) may in turn contain other\n");
|
| ... | ... |
@@ -598,6 +598,45 @@ WARNING: setting this limit too high may result in severe damage or impact perfo |
| 598 | 598 |
.br |
| 599 | 599 |
Default: 100 |
| 600 | 600 |
.TP |
| 601 |
+\fBPCREMatchLimit SIZE\fR |
|
| 602 |
+This option sets the maximum calls to the PCRE match function during an instance of regex matching. |
|
| 603 |
+.br |
|
| 604 |
+Instances using more than this limit will be terminated and alert the user but the scan will continue. |
|
| 605 |
+.br |
|
| 606 |
+For more information on match_limit, see the PCRE documentation. |
|
| 607 |
+.br |
|
| 608 |
+Negative values are not allowed. |
|
| 609 |
+.br |
|
| 610 |
+WARNING: setting this limit too high may severely impact performance. |
|
| 611 |
+.br |
|
| 612 |
+Default: 10000 |
|
| 613 |
+.TP |
|
| 614 |
+\fBPCRERecMatchLimit NUMBER\fR |
|
| 615 |
+This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching. |
|
| 616 |
+.br |
|
| 617 |
+Instances using more than this limit will be terminated and alert the user but the scan will continue. |
|
| 618 |
+.br |
|
| 619 |
+For more information on match_limit_recursion, see the PCRE documentation. |
|
| 620 |
+.br |
|
| 621 |
+Negative values are not allowed and values > PCREMatchLimit are superfluous. |
|
| 622 |
+.br |
|
| 623 |
+WARNING: setting this limit too high may severely impact performance. |
|
| 624 |
+.br |
|
| 625 |
+Default: 5000 |
|
| 626 |
+.TP |
|
| 627 |
+\fBPCREMaxFileSize NUMBER\fR |
|
| 628 |
+This option sets the maximum filesize for which PCRE subsigs will be executed. |
|
| 629 |
+.br |
|
| 630 |
+Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer. |
|
| 631 |
+.br |
|
| 632 |
+Negative values are not allowed. |
|
| 633 |
+.br |
|
| 634 |
+Setting this value to zero disables the limit. |
|
| 635 |
+.br |
|
| 636 |
+WARNING: setting this limit too high or disabling it may severely impact performance. |
|
| 637 |
+.br |
|
| 638 |
+Default: 25M |
|
| 639 |
+.TP |
|
| 601 | 640 |
\fBClamukoScanOnAccess (OBSOLETE)\fR |
| 602 | 641 |
\fBWARNING:\fR This option is no longer accepted. See \fBScanOnAccess\fR. |
| 603 | 642 |
.TP |
| ... | ... |
@@ -214,6 +214,15 @@ This option sets the maximum number of partitions of a raw disk image to be scan |
| 214 | 214 |
\fB\-\-max\-iconspe=#n\fR |
| 215 | 215 |
This option sets the maximum number of icons within a PE to be scanned. This must be a positive integer (default: 100). |
| 216 | 216 |
.TP |
| 217 |
+\fB\-\-pcre-match-limit=#n\fR |
|
| 218 |
+Maximum calls to the PCRE match function (default: 10000). |
|
| 219 |
+.TP |
|
| 220 |
+\fB\-\-pcre-recmatch-limit=#n\fR |
|
| 221 |
+Maximum recursive calls to the PCRE match function (default: 5000). |
|
| 222 |
+.TP |
|
| 223 |
+\fB\-\-pcre-max-filesize=#n\fR |
|
| 224 |
+Maximum size file to perform PCRE subsig matching (default: 25 MB, max: <4 GB). |
|
| 225 |
+.TP |
|
| 217 | 226 |
\fB\-\-enable\-stats\fR |
| 218 | 227 |
This option enables submission of statistical data. (Default: stats submissions disabled) |
| 219 | 228 |
.TP |