Sanesecurity signatures are no longer being updatedor distributed

Rick Cooper rcooper at dwford.com
Tue Dec 16 22:44:42 GMT 2008 

I would say if you do begin to maintain the sigs again it would be worth a
little time to look into a blacklisting mechanism for ips that are above a
set minimum. I believe that the snare  people used to do that. Say more than
24 hits per 24 hrs results in a ban of say 48/72 hrs.

Just a thought

Rick 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of Steve Basford
 > Sent: Tuesday, December 16, 2008 4:06 PM
 > To: MailScanner discussion
 > Subject: Re: Sanesecurity signatures are no longer being 
 > updatedor distributed
 > 
 > 
 > 
 > Greg Matthews wrote:
 > > Anyone know if Sane Security are submitting signatures direct to 
 > > ClamAV? I understand that many of their signatures would 
 > make their 
 > > way into the official Clam updates.
 > Sanesecurity signatures aren't being added into the ClamAV official 
 > signatures... they are totally third-party sigs.
 > 
 > > Sounds like a P2P distribution mech may have helped here.
 > >
 > Well, I've just managed to find a little time to do a little log 
 > checking, now that the round-robin php script was turned 
 > off..  Checking 
 > the log for today:
 > 
 > Position:  IP: number of hits for today
 > 
 > 1      196.35.158.184  2,538
 > 2     86.96.229.88     1,504
 > 3     196.25.255.218     1,080
 > 4     66.159.122.2     1,066
 > 5     198.54.202.218     1,028
 > 6     198.54.202.70     656
 > 7     62.12.131.147     642
 > 8     198.144.196.51     620
 > 9     202.60.56.252     528
 > 10     198.54.202.146     504
 > 11     64.119.33.98     467
 > 12     70.167.192.42     461
 > 13     196.25.255.210     389
 > 14     82.190.241.234     360
 > 15     121.52.89.35     359
 > 16     85.44.247.211     354
 > 17     89.186.90.219     354
 > 18     88.38.193.116     352
 > 19     82.54.83.49     350
 > 20     83.216.177.35     350
 > 21     85.43.92.188     348
 > 22     216.201.128.42     346
 > 23     83.216.181.170     344
 > 24     198.54.202.210     314
 > 25     64.132.142.170     308
 > 26     198.144.196.52     308
 > 27     63.123.82.75     308
 > 28     142.32.208.231     266
 > 29     85.18.239.12     264
 > 30     217.76.134.221     244
 > 31     196.2.124.253     244
 > 32     193.225.225.18     240
 > 33     193.225.225.16     240
 > 34     217.166.60.146     240
 > 35     217.7.104.28     240
 > 36     217.7.104.26     240
 > 37     217.7.104.27     240
 > 38     82.165.187.176     224
 > 39     62.77.162.9     224
 > 40     72.36.139.242     191
 > 41     207.195.79.250     176
 > 42     217.98.12.118     176
 > 43     198.54.202.182     176
 > 44     88.40.197.18     175
 > 45     64.78.22.100     168
 > 46     217.188.47.4     154
 > 47     68.179.9.105     151
 > 48     195.229.237.38     150
 > 49     213.132.250.2     136
 > 50     208.21.38.66    136
 > 
 > In other words, if people downloaded the sigs every hour, 
 > each ip should 
 > only have 24 hits....as you can see, the above ips are WAY over that.
 > Checking the log in detail... it's seems people are setting 
 > the download 
 > scripts to download every second.... all adding up to: 
 > 45,554 hits an hour,
 > add the fact that 45,554 hits would run a php script... 
 > guess that's why 
 > the cpu usage was so high on a shared server and then got suspended.
 > 
 > Signature Note:
 > 
 > People have decided to mirror the last version of the public 
 > signatures:
 > 
 > 1. The signatures were removed and a placeholder signature added, so 
 > that hopefully people would quickly notice that their 
 > scripts needed to 
 > be changed... as the server is still getting hammered by wget/curl 
 > requests (approx 45,554 hits per hour)
 > 
 > 2. NO SUPPORT will be given on these unofficially mirrored 
 > signatures, 
 > in fact these mirrored signatures are already out of date, 
 > some false 
 > positives have already been corrected and new signatures 
 > have already 
 > been added to my private version of the signatures.
 > 
 > Hope that helps,
 > 
 > Steve
 > Sanesecurity
 > 
 > 
 > -- 
 > MailScanner mailing list
 > mailscanner at lists.mailscanner.info
 > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 > 
 > Before posting, read http://wiki.mailscanner.info/posting
 > 
 > Support MailScanner development - buy the book off the website! 
 > 
 > --
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 
 > 


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list