3

Actually I generate signatures from libraries, to scan executables for beeing statically linked to that library. My actual approach is to read out the .text section and generate a byte sequence for every function with placeholders.

For little version steps of the library there are many false positives with the clamscan from ClamAV.

Is there a better approach, to generate signatures for libraries and detect with ClamAV afterwards?

Maximilian
  • 207
  • 2
  • 7
  • What are you currently using to write your signatures? (just by sequence? yara? ioc? ) – KDEx Nov 25 '15 at 15:14
  • I wrote a script reading the byte-sequences out of the .text section of the static library with some placeholders. I could not find a different approach for my task. I followed the approach described in the paper "Automatically Mining Program Build Information via Signature Matching" – Maximilian Nov 25 '15 at 15:17

3 Answers3

4

It seems that ClamAV supports both YARA and OpenIOC. These two methods of writing signatures will let you take a much more specific look rather than just byte sequences. Check out this SANS paper for a bit of methodology.

If you want just a quick idea of what these two frameworks can hone in on check out the documentation for YARA and IOC. Both of these frameworks have a lot more documentation on how to write good signatures that will be good further reading material.

KDEx
  • 4,981
  • 2
  • 20
  • 34
1

One of the ways to develop signatures would be using the MD5 hash of the file using the SIGTOOL that was provided by ClamAV, but constraint here would be it would match or fire only when the hash matches with the signature.

We can also divide the hexadecimal and header section into two seperate files in order to create MD5 hash for them.

Raghu Kulkarni
  • 19
  • 3
  • hashes are no option, because I create a signature from a library and want to match a binary linked to the library against the signature. When I use hashes I get zero matches. – Maximilian Nov 25 '15 at 14:27
0

You can also use debug and leave files:

clamscan --debug 2>debug.log --leave-temps --tempdir=tmp

You can then find useful debug code in debug.log.

Current signatures.pdf: on GitHub

Vilican
  • 2,703
  • 8
  • 21
  • 35
Steve Basford
  • 1
  • 1
  • 1
    Hi, welcome on InfoSec. I noticed that you added two answers to one question. It is essentially better to post one, complete answer. You can always edit your posts, so if you forget to add something, you can add it later. Our [help center](https://security.stackexchange.com/help) can give you some guidiance on how to write great answers. – Vilican Nov 26 '15 at 13:06