|
»
« Return to Thread: how to get rid of the MD5 in .ndb sig files
Re: how to get rid of the MD5 in .ndb sig files
by rayeaster
::
Rate this Message:
hi, Edwin, thank you very very much~your answer save me a lot of time and energy~
really appreciate your help
But i get some confused with a phenomenon:
in ClamAV .ndb sigs, the common prefix bewtween different sigs are quite few and short, or say, each two sigs have very few identical symbols(maybe in hex format) if start to compare them from the beginning to the end. However, in SNORT, those sigs abstracted from its "CONTENT" part ,which is similar to ClamAV sigs to some extent because both mainly concern about pure string filter without complex regular expressions, have relatively much more common shared prefix than ClamAV.
Is there any intrinsic philosophy hidden behind or just my false guessing?
thanks~
really appreciate your help
But i get some confused with a phenomenon:
in ClamAV .ndb sigs, the common prefix bewtween different sigs are quite few and short, or say, each two sigs have very few identical symbols(maybe in hex format) if start to compare them from the beginning to the end. However, in SNORT, those sigs abstracted from its "CONTENT" part ,which is similar to ClamAV sigs to some extent because both mainly concern about pure string filter without complex regular expressions, have relatively much more common shared prefix than ClamAV.
Is there any intrinsic philosophy hidden behind or just my false guessing?
thanks~
Török Edwin wrote:On 2009-07-01 06:32, rayeaster wrote:
> hi, everyone,
>
> I am doing some kindof research on string match right now and I was trying
> to
> use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a
> simulation source.
> but I do not know how to retrieve the original signatures which are
> encrypted with MD5 in a file format: ndb, right?
Wrong, signatures in .ndb files are simple hex signatures they not
encrypted in any way ;)
See signatures.pdf for details.
> so if I wanna turn
> those encrypted sigs back,or say decrypt them, what exactly can I do?
>
You can't "decrypt" MD5, at most you can obtain a collision (a file with
same MD5) but
that requires a huge amount of computing resources, and time.
Fortunately you don't have to, MD5 signatures are in .hdb and .mdb files.
If all you need is to understand .ndb files, then you simply need to
read in hexadecimal.
> thank you very much~
> Really really appreciate your help~
>
> P.S.,
> some examples of .ndb rule:
> Trojan.Packed-6:1:EP+0:807c2408015690eb
> Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f
>
For example Email.Phishing.RB-1738 begins with http://www
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
« Return to Thread: how to get rid of the MD5 in .ndb sig files
| Free embeddable forum powered by Nabble | Forum Help |
