Bugzilla – Bug 776
Extend ac-matcher to handle single bytes preceded by valid sigs
Last modified: 2022-02-03 19:16:11 EST
as discussed
Some important information on the new feature: * two bytes can be anchored to a single sub-signature, one following and one preceding the sig; * the distance between a sig and its anchored bytes must be always specified as [a-b], where a <= b and max value for b is 32; * all offsets (including {n} between sub-sigs) are calculated against the host sub-signatures and not the extending bytes (see the attached example); * the format is not backward compatible and each .ndb signature which uses this extension must be followed by ":27" which will only load it on engines with flevel >= 27
(In reply to comment #1) > Some important information on the new feature: * nibbles are supported
Created attachment 565 [details] test data
Created attachment 566 [details] test sig
required f-level for these sigs should be now 32
Comment on attachment 565 [details] test data daaaaaaaaddbbbbbcce
In your attachment: testsig:7:5:64[4-4]61616161{2}6262[3-6]65:27 test data(HexSIG):64616161616161616164646262626262636365 is match with testsig My question is: is HexSIG: "64676767676161616164646262626262636365" match? is HexSIG: "64616161616161616169696262626262636365" match?
In regards to the question proposed in comment #7. The short answer is both of the HexSIG "64676767676161616164646262626262636365" and "64616161616161616169696262626262636365" match. This is because "HEXSIG[x-y]aa" and "aa[x-y]HEXSIG" are a variant of ClamAV wildcards which optimizes the search for a byte [aa] and a hex signature [HEXSIG] with x to y bytes in between the byte and the hex signature. In the testsig, there are two examples of this wildcard variant: ---- 64[4-4]61616161 ---- ***search for the byte "64" followed by the hex sequence "61616161" with exactly 4 arbitrary bytes in between. ---- 6262[3-6]65 ---- ***search for the hex sequence "6262" followed by the byte "65" with 3 to 6 arbitrary bytes in between. (Note that the "{2}" in between is another wildcard variant meaning to match 2 arbitrary bytes.) Thus the signature matches: 64[67676767]616161616{4646}2626[262626363]65 64[61616161]616161616{9696}2626[262626363]65 In both cases the [3-6] matches 4 arbitrary bytes.