GWHAYWOOD
commented
2 years ago I see that githuck has decided to HTMLify everythign I pasted so it's probably unintelligible now. Again, you can have the real text in an email if you want it.
Open GWHAYWOOD opened 2 years ago
GWHAYWOOD
commented
2 years ago I see that githuck has decided to HTMLify everythign I pasted so it's probably unintelligible now. Again, you can have the real text in an email if you want it.
cg2v
commented
8 months ago I happened to be investigating this exact rule today, and was wondering about the |'s myself. The cause of the strange output is that the signature has a sequence (0D|0A) (alternative of CR or LF).
Decode-sigs is just emitting CR and LFs in decoded rule output. The CR in particular is causing the | to appear at the beginning of the line. I think a good solution to this would be for decode-sigs to have an entity/escape syntax for whitespace characters
When using 'sigtoool --decode-sigs' sigtool gets the presentation of the decoded signatures all round its neck. The 'M' from "Mime-Version" gets replaced (as do other characters in the expanded translation) by a newline and a pipe character (instead of having them prepended to make the text more readable e.g. on a terminal).
Similarly the sixth occurrence of {WILDCARDIGNORE} below is displayed as "{WILDCARD|GNORE}", here replacing upper case 'I' instead of prepending newline+pipe characters to the entire string.
8<--------------------------------------------------------------------------------------------------------------------------------------------------------- $ sigtool --find-sigs Sanesecurity.Spam.ldb.1 [spam.ldb] Sanesecurity.Spam.ldb.1;Target:0;(0&1=0&2=0&3=0);4D696D652D56657273696F6E3A20312E30436F6E74656E742D547970653A20746578742F68746D6C3B(0D|0A)687474703A2F2F{-50}2f????????????2f??????????2E68746D6C(0d|0a|22);582D4D61696C65723A;557365722D4167656E743A;4C6973742D556E737562736372696265 8<--------------------------------------------------------------------------------------------------------------------------------------------------------- $ sigtool --find-sigs Sanesecurity.Spam.ldb.1 | sigtool --decode-sigs VIRUS NAME: Sanesecurity.Spam.ldb.1 TDB: Target:0 LOGICAL EXPRESSION: (0&1=0&2=0&3=0)