Mailing List Archive: ClamAV: users

signature too short

Index | Next | Previous | View Threaded

dehaenp at drever

Jul 26, 2012, 5:22 AM

Post #1 of 3 (268 views)
Permalink

signature too short

Hi,

What does it mean when a signature you add is said to be too short ? The error is:

LibClamAV Error: cli_ac_addsig: Signature for Sanesecurity.Pierre.35 is too short
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: Problem parsing database at line 35
LibClamAV Error: Can't load /tmp/pierre.ndb: Malformed database
ERROR: Malformed database

In the source code I found:

if(strlen(hexsig) / 2 < root->ac_mindepth) {
cli_errmsg("cli_ac_addsig: Signature for %s is too short\n", virname);
return CL_EMALFDB;
}

That happens to me now and then but I already successfully added shorter signatures into
the ndb file. Is it the signature that is too short, or is it a string of it, or is it related to other
signatures ?

The signature I am trying to add is:
Vigra{-20}$*http://{-20}doctor.ru
but this does not work neither:
Vigra*http://{-20}doctor.ru

Thanks for any advice,
Pierre

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

lexx.pt at gmail

Jul 26, 2012, 6:05 AM

Post #2 of 3 (277 views)
Permalink

Re: signature too short [In reply to]

Are you trying to add those exact strings?

Signatures in ClamAV are in hexadecimal format. The strings that you are
trying to add are composed of characters instead.

So instead of having for example "Vigra", what you need is "5669677261",
which is the hexadecimal representation of "Vigra".

Your first signature only has one character ("$") between the "{-20}" and
"*" wildcards. If I'm not mistaken, you need at least two characters
between wildcards.

I'm not sure about your second signature.

Regards,

-Alexandre Dias

2012/7/26 Pierre Dehaen <dehaenp [at] drever>

> Hi,
>
> What does it mean when a signature you add is said to be too short ? The
> error is:
>
> LibClamAV Error: cli_ac_addsig: Signature for Sanesecurity.Pierre.35 is
> too short
> LibClamAV Error: cli_parse_add(): Problem adding signature (1).
> LibClamAV Error: Problem parsing database at line 35
> LibClamAV Error: Can't load /tmp/pierre.ndb: Malformed database
> ERROR: Malformed database
>
> In the source code I found:
>
> if(strlen(hexsig) / 2 < root->ac_mindepth) {
> cli_errmsg("cli_ac_addsig: Signature for %s is too short\n",
> virname);
> return CL_EMALFDB;
> }
>
> That happens to me now and then but I already successfully added shorter
> signatures into
> the ndb file. Is it the signature that is too short, or is it a string of
> it, or is it related to other
> signatures ?
>
> The signature I am trying to add is:
> Vigra{-20}$*http://{-20}doctor.ru
> but this does not work neither:
> Vigra*http://{-20}doctor.ru
>
> Thanks for any advice,
> Pierre
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

dehaenp at drever

Jul 26, 2012, 6:51 AM

Post #3 of 3 (266 views)
Permalink

Re: signature too short [In reply to]

On 26 Jul 2012 at 14:05, Alexandre Dias wrote:

> Are you trying to add those exact strings?
>
> Signatures in ClamAV are in hexadecimal format. The strings that you are
> trying to add are composed of characters instead.
>
> So instead of having for example "Vigra", what you need is "5669677261",
> which is the hexadecimal representation of "Vigra".

Thank you Alexandre, but I know that and my script does the transcoding. The second
signature is for instance coded as:
Sanesecurity.Pierre.35:0:*:566967726120*687474703a2f2f{-20}646f63746f722e7275

sigtool --decode-sig <file.ndb says:
VIRUS NAME: Sanesecurity.Pierre.35
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
Vigra
{WILDCARD_ANY_STRING}http://{WILDCARD_ANY_STRING(LENGTH<=20)}doctor.ru

> Your first signature only has one character ("$") between the "{-20}" and
> "*" wildcards. If I'm not mistaken, you need at least two characters
> between wildcards.

I have not seen this limitation in the "Creating signatures for ClamAV" document I found on
the Internet but I think I already experienced problems with 1 character between wildcards,
indeed.

> I'm not sure about your second signature.

Generally when I have such a "too short" problem I change a little bit the signature until
something works, but here I wanted to finally understand my problem. And I think I'm
progressing: while decoding the signatures with sigtool, I discovered that the signature
following the reported one is erroneous (Decoding failed) ! It seems the error message is
somewhat misleading...

[update] If I remove the signatures following signature 35, it works. Then I fixed the error in
the signature 36 and the error re-appeared. Signature 36 (the last one) looks like:
VIRUS NAME: Sanesecurity.Pierre.36
TARGET TYPE: ANY FILE
OFFSET: EOF-80
DECODED SIGNATURE:
{WILDCARD_ANY_STRING}{LINE_MARKER_LEFT}http://{WILDCARD_ANY_STRING(LEN
GTH<=20)}.html
{WILDCARD_ANY_STRING(LENGTH>=20&&<=40)}{LINE_MARKER_RIGHT}

The signature looks strange but it is a try to catch emails made of (only) one small line of text
ending with a url.

If someone has a definitive answer on the "too short" message...

Thanks,
Pierre

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads