Development info?

Julian Field MailScanner at ecs.soton.ac.uk
Sun Aug 24 21:12:16 IST 2008 


Hugo van der Kooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve Freegard wrote:
>   
>> Hi Hugo,
>>
>> Hugo van der Kooij wrote:
>>     
>>> My aim is to write a custom function to detect links to executables and
>>> such and mark then with some points. Then take it one level up and
>>> pickup the samples for further analyses before they are taken offline
>>> again.
>>>
>>> The first bit can be done with just  few lines in SA just as well. It is
>>> the second part that will help me get malware samples as soon as
>>> possible that can not be done in SA.
>>>       
>> I don't think you'd need a CustomFunction for either part of this - you
>> can do it all within SA and the latest version of MailScanner.
>>
>> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
>> score TRAP_LINK_EXEC 0.01
>> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
>>
>> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
>>
>> SpamAssassin Rule Actions =
>> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence
>>     
>
> That will store the URL but by the time I can look at that URL to fetch
> the file the infected system might be cleaned out allready. So I need to
> automate this a bit further.
>   

How about a cron job that runs every few minutes, which does something 
like this:

#!/bin/sh
if [ \! -f /tmp/MS.last.checked ]; then
  :> /tmp/MS.last.checked
fi
find /var/spool/MailScanner/evidence -type f -cnewer 
/tmp/MS.last.checked -print | xargs echo "New files are"
touch /tmp/MS.last.checked

This will print out "New files are" every time any new files are found 
under the evidence directory structure, which you could change to mail 
you an alert about them, for example, or do something like pull out 
information from Received: headers to see where the files came from, or 
whatever.

Run this script every few minutes, and it will send you mail every time 
something new is generated.

Just a starting point, but hopefully you get the idea.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list