clamav icon indicating copy to clipboard operation
clamav copied to clipboard

Published 20 hours ago verified publisher icon Cisco-Talos

sigtool --decode-sigs output formatting.

Open GWHAYWOOD opened this issue 4 years ago • 2 comments

When using 'sigtoool --decode-sigs' sigtool gets the presentation of the decoded signatures all round its neck. The 'M' from "Mime-Version" gets replaced (as do other characters in the expanded translation) by a newline and a pipe character (instead of having them prepended to make the text more readable e.g. on a terminal).

Similarly the sixth occurrence of {WILDCARD_IGNORE} below is displayed as "{WILDCARD_|GNORE}", here replacing upper case 'I' instead of prepending newline+pipe characters to the entire string.

8<--------------------------------------------------------------------------------------------------------------------------------------------------------- $ sigtool --find-sigs Sanesecurity.Spam.ldb.1 [spam.ldb] Sanesecurity.Spam.ldb.1;Target:0;(0&1=0&2=0&3=0);4D696D652D56657273696F6E3A20312E30*436F6E74656E742D547970653A20746578742F68746D6C3B(0D|0A)*687474703A2F2F{-50}2f????????????2f??????????2E68746D6C(0d|0a|22);582D4D61696C65723A;557365722D4167656E743A;4C6973742D556E737562736372696265 8<--------------------------------------------------------------------------------------------------------------------------------------------------------- $ sigtool --find-sigs Sanesecurity.Spam.ldb.1 | sigtool --decode-sigs VIRUS NAME: Sanesecurity.Spam.ldb.1 TDB: Target:0 LOGICAL EXPRESSION: (0&1=0&2=0&3=0)

  • SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: |ime-Version: 1.0{WILDCARD_ANY_STRING}Content-Type: text/html;{STRING_ALTERNATIVE: }{WILDCARD_ANY_STRING}http://{WILDCARD_ANY_STRING(LENGTH<=50)}/{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_|GNORE}/{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}{WILDCARD_IGNORE}.html{STRING_ALTERNATIVE: |"}
  • SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: X-Mailer:
  • SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: User-Agent:
  • SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: List-Unsubscribe 8<--------------------------------------------------------------------------------------------------------------------------------------------------------- Pasting output using this UI is a real pain and drag-n-drop doesn't work at all, so no clamconf -n, sorry. I'll mail it if you want it. Ged.

GWHAYWOOD avatar Nov 28 '21 14:11 GWHAYWOOD

I see that githuck has decided to HTMLify everythign I pasted so it's probably unintelligible now. Again, you can have the real text in an email if you want it.

GWHAYWOOD avatar Nov 28 '21 14:11 GWHAYWOOD

I happened to be investigating this exact rule today, and was wondering about the |'s myself. The cause of the strange output is that the signature has a sequence (0D|0A) (alternative of CR or LF). Decode-sigs is just emitting CR and LFs in decoded rule output. The CR in particular is causing the | to appear at the beginning of the line. I think a good solution to this would be for decode-sigs to have an entity/escape syntax for whitespace characters

cg2v avatar Mar 08 '24 19:03 cg2v