Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

Question about wildcards ?? and {n} in signatures

  

 
ClamAV devel RSS feed   Index | Next | Previous | View Threaded


lexx.pt at gmail

Mar 6, 2012, 4:21 PM

Post #1 of 3 (520 views)
Permalink
Question about wildcards ?? and {n} in signatures
Hello,

I am doing my Msc thesis work in pattern matching, and I am using
ClamAV's signature database.

I've got a question about two specific wildcards that are stated in
the signatures.pdf file (titled "Creating Signatures for ClamAV").

According to the document, the wildcard "{n}" states that n bytes can
be matched. Also, the wildcard "??" states that any one byte can be
matched. I have found some "{1}" wildcards in the database. I assume
that by saying "match n bytes", the meaning is that we can match any n
bytes. If that is the case, what is the difference between "??" and
"{1}" ? Or am I wrong, and {n} means "match the previous byte, n
times"?

Thank you for your time.

Best regards,

-Alexandre Dias
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


tkojm at clamav

Mar 6, 2012, 4:46 PM

Post #2 of 3 (485 views)
Permalink
Re: Question about wildcards ?? and {n} in signatures [In reply to]
On Wed Mar 07 2012 01:21:25 GMT+0100 (CET)
Alexandre Dias <lexx.pt [at] gmail> wrote:
> Hello,
>
> I am doing my Msc thesis work in pattern matching, and I am using
> ClamAV's signature database.
>
> I've got a question about two specific wildcards that are stated in
> the signatures.pdf file (titled "Creating Signatures for ClamAV").
>
> According to the document, the wildcard "{n}" states that n bytes can
> be matched. Also, the wildcard "??" states that any one byte can be
> matched. I have found some "{1}" wildcards in the database. I assume
> that by saying "match n bytes", the meaning is that we can match any n
> bytes. If that is the case, what is the difference between "??" and
> "{1}" ?

There's no difference, ClamAV translates "{1}" into "??".

-TK
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


lexx.pt at gmail

Mar 6, 2012, 4:52 PM

Post #3 of 3 (488 views)
Permalink
Re: Question about wildcards ?? and {n} in signatures [In reply to]
2012/3/7 Tomasz Kojm <tkojm [at] clamav>:
> On Wed Mar 07 2012 01:21:25 GMT+0100 (CET)
> Alexandre Dias <lexx.pt [at] gmail> wrote:
>> Hello,
>>
>> I am doing my Msc thesis work in pattern matching, and I am using
>> ClamAV's signature database.
>>
>> I've got a question about two specific wildcards that are stated in
>> the signatures.pdf file (titled "Creating Signatures for ClamAV").
>>
>> According to the document, the wildcard "{n}" states that n bytes can
>> be matched. Also, the wildcard "??" states that any one byte can be
>> matched. I have found some "{1}" wildcards in the database. I assume
>> that by saying "match n bytes", the meaning is that we can match any n
>> bytes. If that is the case, what is the difference between "??" and
>> "{1}" ?
>
> There's no difference, ClamAV translates "{1}" into "??".
>
> -TK

Thank you.

-Alexandre Dias
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.