how to get rid of the MD5 in .ndb sig files

hi, everyone,

 I am doing some kindof research on string match right now and I was trying to
use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a simulation source.
but I do not know how to retrieve the original signatures which are
encrypted with MD5 in a file format: ndb, right? so if I wanna turn
those encrypted sigs back,or say decrypt them, what exactly can I do?

thank you very much~
Really really appreciate your help~

P.S.,
some examples of .ndb rule:
Trojan.Packed-6:1:EP+0:807c2408015690eb
Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f

On 2009-07-01 06:32, rayeaster wrote:
> hi, everyone,
>
>  I am doing some kindof research on string match right now and I was trying
> to
> use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a
> simulation source.
> but I do not know how to retrieve the original signatures which are
> encrypted with MD5 in a file format: ndb, right?

Wrong, signatures in .ndb files are simple hex signatures they not
encrypted in any way ;)
See signatures.pdf for details.

>  so if I wanna turn
> those encrypted sigs back,or say decrypt them, what exactly can I do?
>  

You can't "decrypt" MD5, at most you can obtain a collision (a file with
same MD5) but
that requires a huge amount of computing resources, and time.
Fortunately you don't have to, MD5 signatures are in .hdb and .mdb files.

If all you need is to understand .ndb files, then you simply need to
read in hexadecimal.

> thank you very much~
> Really really appreciate your help~
>
> P.S.,
> some examples of .ndb rule:
> Trojan.Packed-6:1:EP+0:807c2408015690eb
> Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f
>  
For example Email.Phishing.RB-1738 begins with http://www

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

hi, Edwin, thank you very very much~your answer save me a lot of time and energy~
really appreciate your help
But i get some confused with a phenomenon:
 in ClamAV .ndb sigs, the common prefix bewtween different sigs are quite few and short, or say, each two sigs have very few identical symbols(maybe in hex format) if start to compare them from the beginning to the end. However, in SNORT, those sigs abstracted from its "CONTENT" part ,which is similar to ClamAV sigs to some extent because both mainly concern about pure string filter without complex regular expressions, have relatively much more common shared prefix than ClamAV.
 Is there any intrinsic philosophy hidden behind or just my false guessing?

thanks~

Török Edwin wrote:

On 2009-07-01 06:32, rayeaster wrote:
> hi, everyone,
>
>  I am doing some kindof research on string match right now and I was trying
> to
> use ClamAV-signatures(daily.ndb and main.ndb, obtained by sigtool) as a
> simulation source.
> but I do not know how to retrieve the original signatures which are
> encrypted with MD5 in a file format: ndb, right?

Wrong, signatures in .ndb files are simple hex signatures they not
encrypted in any way ;)
See signatures.pdf for details.

>  so if I wanna turn
> those encrypted sigs back,or say decrypt them, what exactly can I do?
>  

You can't "decrypt" MD5, at most you can obtain a collision (a file with
same MD5) but
that requires a huge amount of computing resources, and time.
Fortunately you don't have to, MD5 signatures are in .hdb and .mdb files.

If all you need is to understand .ndb files, then you simply need to
read in hexadecimal.

> thank you very much~
> Really really appreciate your help~
>
> P.S.,
> some examples of .ndb rule:
> Trojan.Packed-6:1:EP+0:807c2408015690eb
> Email.Phishing.RB-1738:4:*:687474703a2f2f7777772e706f737465696e632e636f6d2f
>  
For example Email.Phishing.RB-1738 begins with http://www

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml