...
|
...
|
@@ -358,12 +358,12 @@ static inline int swizz_j48(const uint16_t n[])
|
358
|
358
|
{
|
359
|
359
|
cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
|
360
|
360
|
/* rules based on J48 tree */
|
361
|
|
- if (n[0] <= 945 || !n[1])
|
|
361
|
+ if (n[0] <= 961 || !n[1])
|
362
|
362
|
return 0;
|
363
|
363
|
if (n[0] <= 1006)
|
364
|
364
|
return (n[2] > 0 && n[2] <= 6);
|
365
|
365
|
else
|
366
|
|
- return n[1] <= 10;
|
|
366
|
+ return n[1] <= 10 && n[2];
|
367
|
367
|
}
|
368
|
368
|
|
369
|
369
|
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
|
...
|
...
|
@@ -429,7 +429,7 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s
|
429
|
429
|
ngram_cnts[i] = (v<<10)/all;
|
430
|
430
|
}
|
431
|
431
|
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN;
|
432
|
|
- if (!words) ret = CL_CLEAN;
|
|
432
|
+ if (words < 3) ret = CL_CLEAN;
|
433
|
433
|
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
|
434
|
434
|
if (ret == CL_VIRUS) {
|
435
|
435
|
stats->suspicious += j;
|