Development info?
Hugo van der Kooij
hvdkooij at vanderkooij.org
Sun Aug 24 20:47:23 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Freegard wrote:
> Hi Hugo,
>
> Hugo van der Kooij wrote:
>> My aim is to write a custom function to detect links to executables and
>> such and mark then with some points. Then take it one level up and
>> pickup the samples for further analyses before they are taken offline
>> again.
>>
>> The first bit can be done with just few lines in SA just as well. It is
>> the second part that will help me get malware samples as soon as
>> possible that can not be done in SA.
>
> I don't think you'd need a CustomFunction for either part of this - you
> can do it all within SA and the latest version of MailScanner.
>
> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
> score TRAP_LINK_EXEC 0.01
> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
>
> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
>
> SpamAssassin Rule Actions =
> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence
That will store the URL but by the time I can look at that URL to fetch
the file the infected system might be cleaned out allready. So I need to
automate this a bit further.
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIsbrJBvzDRVjxmYERAu2vAKCQnd/JdZuhgeSmNB3MDgtb5K5LpQCdGOVI
v817/3nTBD4A5kVZx6/RdL0=
=hlfH
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list