diff --git a/ChangeLog b/ChangeLog index b823848ad..28c5331ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +Wed Nov 25 19:07:51 CET 2009 (tk) +--------------------------------- + * sigtool: --decode-sigs: handle .ndb sigs + Tue Nov 24 10:24:27 EET 2009 (edwin) ------------------------------------ * clamd/server-th.c: enable more than 256 FD support on Solaris (bb #1764). diff --git a/sigtool/sigtool.c b/sigtool/sigtool.c index 2fd3532c4..39328d57a 100644 --- a/sigtool/sigtool.c +++ b/sigtool/sigtool.c @@ -1835,13 +1835,68 @@ static int decodehex(const char *hexsig) static int decodesig(char *sig) { char *pt; + const char *tokens[7]; + int tokens_count; if(strchr(sig, ';')) { /* lsig */ mprintf("decodesig: Not supported signature format (yet)\n"); return -1; } else if(strchr(sig, ':')) { /* ndb */ - mprintf("decodesig: Not supported signature format (yet)\n"); - return -1; + tokens_count = cli_strtokenize(sig, ':', 6 + 1, tokens); + if(tokens_count < 4 || tokens_count > 6) { + mprintf("!decodesig: Invalid or not supported signature format\n"); + mprintf("TOKENS COUNT: %u\n", tokens_count); + return -1; + } + mprintf("VIRUS NAME: %s\n", tokens[0]); + if(tokens_count == 5) + mprintf("FUNCTIONALITY LEVEL: >=%s\n", tokens[4]); + else if(tokens_count == 6) + mprintf("FUNCTIONALITY LEVEL: %s..%s\n", tokens[4], tokens[5]); + + if(!cli_isnumber(tokens[1])) { + mprintf("!decodesig: Invalid target type\n"); + return -1; + } + mprintf("TARGET TYPE: "); + switch(atoi(tokens[1])) { + case 0: + mprintf("ANY FILE\n"); + break; + case 1: + mprintf("PE\n"); + break; + case 2: + mprintf("OLE2\n"); + break; + case 3: + mprintf("HTML\n"); + break; + case 4: + mprintf("MAIL\n"); + break; + case 5: + mprintf("GRAPHICS\n"); + break; + case 6: + mprintf("ELF\n"); + break; + case 7: + mprintf("NORMALIZED ASCII TEXT\n"); + break; + case 8: + mprintf("DISASM DATA\n"); + break; + case 9: + mprintf("MACHO\n"); + break; + default: + mprintf("!decodesig: Invalid target type\n"); + return -1; + } + mprintf("OFFSET: %s\n", tokens[2]); + mprintf("DECODED SIGNATURE:\n"); + decodehex(tokens[3]); } else if((pt = strchr(sig, '='))) { *pt++ = 0; mprintf("VIRUS NAME: %s\n", sig);