Bug 776 – Extend ac-matcher to handle single bytes preceded by valid sigs

Bug 776 - Extend ac-matcher to handle single bytes preceded by valid sigs


Summary:	Extend ac-matcher to handle single bytes preceded by valid sigs

Status:	RESOLVED FIXED

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	stable
Hardware:	All All

Importance:	P3 enhancement
Target Milestone:	0.93
Assigned To:	Tomasz Kojm

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-01-16 17:56 EST by Tomasz Kojm
Modified:	2022-02-03 19:16 EST (History)
CC List:	6 users (show)

See Also:
QA Contact:

Attachments
test data (20 bytes, application/octet-stream) 2008-02-06 13:04 EST, Tomasz Kojm	no flags	Details
test sig (45 bytes, text/plain) 2008-02-06 13:05 EST, Tomasz Kojm	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomasz Kojm 2008-01-16 17:56:26 EST

as discussed

Comment 1 Tomasz Kojm 2008-02-06 12:48:02 EST

Some important information on the new feature:

* two bytes can be anchored to a single sub-signature, one following and one preceding the sig;

* the distance between a sig and its anchored bytes must be always specified as [a-b], where a <= b and max value for b is 32;

* all offsets (including {n} between sub-sigs) are calculated against the host sub-signatures and not the extending bytes (see the attached example);

* the format is not backward compatible and each .ndb signature which uses this extension must be followed by ":27" which will only load it on engines with flevel >= 27

Comment 2 Tomasz Kojm 2008-02-06 13:01:14 EST

(In reply to comment #1)
> Some important information on the new feature:

* nibbles are supported

Comment 3 Tomasz Kojm 2008-02-06 13:04:51 EST

Created attachment 565 [details]
test data

Comment 4 Tomasz Kojm 2008-02-06 13:05:17 EST

Created attachment 566 [details]
test sig

Comment 5 Tomasz Kojm 2008-06-13 13:16:55 EDT

required f-level for these sigs should be now 32

Comment 6 chuatehugodh 2014-06-17 21:48:25 EDT

Comment on attachment 565 [details]
test data

daaaaaaaaddbbbbbcce

Comment 7 KenDy 2014-12-04 02:28:22 EST

In your attachment:

testsig:7:5:64[4-4]61616161{2}6262[3-6]65:27

test data(HexSIG):64616161616161616164646262626262636365 is match with testsig

My question is:
is HexSIG: "64676767676161616164646262626262636365" match?
is HexSIG: "64616161616161616169696262626262636365" match?

Comment 8 Kevin Lin 2014-12-08 12:37:45 EST

In regards to the question proposed in comment #7. The short answer is both of the HexSIG "64676767676161616164646262626262636365" and "64616161616161616169696262626262636365" match. This is because "HEXSIG[x-y]aa" and "aa[x-y]HEXSIG" are a variant of ClamAV wildcards which optimizes the search for a byte [aa] and a hex signature [HEXSIG] with x to y bytes in between the byte and the hex signature.

In the testsig, there are two examples of this wildcard variant:
----
64[4-4]61616161
----
***search for the byte "64" followed by the hex sequence "61616161" with exactly 4 arbitrary bytes in between.
----
6262[3-6]65
----
***search for the hex sequence "6262" followed by the byte "65" with 3 to 6 arbitrary bytes in between.

(Note that the "{2}" in between is another wildcard variant meaning to match 2 arbitrary bytes.)

Thus the signature matches:
64[67676767]616161616{4646}2626[262626363]65
64[61616161]616161616{9696}2626[262626363]65

In both cases the [3-6] matches 4 arbitrary bytes.