Sanesecurity signatures are no longer being updated or
distributed
andrew colin
andrew.colin at gmail.com
Mon Jan 5 11:00:43 GMT 2009
196.35.158.184 is the internet solutions caching server in SA, so your
records are for multiple users sitting behind a transparent proxy.
On Tue, Dec 16, 2008 at 11:05 PM, Steve Basford
<steveb_clamav at sanesecurity.com> wrote:
>
>
> Greg Matthews wrote:
>>
>> Anyone know if Sane Security are submitting signatures direct to ClamAV? I
>> understand that many of their signatures would make their way into the
>> official Clam updates.
>
> Sanesecurity signatures aren't being added into the ClamAV official
> signatures... they are totally third-party sigs.
>
>> Sounds like a P2P distribution mech may have helped here.
>>
> Well, I've just managed to find a little time to do a little log checking,
> now that the round-robin php script was turned off.. Checking the log for
> today:
>
> Position: IP: number of hits for today
>
> 1 196.35.158.184 2,538
> 2 86.96.229.88 1,504
> 3 196.25.255.218 1,080
> 4 66.159.122.2 1,066
> 5 198.54.202.218 1,028
> 6 198.54.202.70 656
> 7 62.12.131.147 642
> 8 198.144.196.51 620
> 9 202.60.56.252 528
> 10 198.54.202.146 504
> 11 64.119.33.98 467
> 12 70.167.192.42 461
> 13 196.25.255.210 389
> 14 82.190.241.234 360
> 15 121.52.89.35 359
> 16 85.44.247.211 354
> 17 89.186.90.219 354
> 18 88.38.193.116 352
> 19 82.54.83.49 350
> 20 83.216.177.35 350
> 21 85.43.92.188 348
> 22 216.201.128.42 346
> 23 83.216.181.170 344
> 24 198.54.202.210 314
> 25 64.132.142.170 308
> 26 198.144.196.52 308
> 27 63.123.82.75 308
> 28 142.32.208.231 266
> 29 85.18.239.12 264
> 30 217.76.134.221 244
> 31 196.2.124.253 244
> 32 193.225.225.18 240
> 33 193.225.225.16 240
> 34 217.166.60.146 240
> 35 217.7.104.28 240
> 36 217.7.104.26 240
> 37 217.7.104.27 240
> 38 82.165.187.176 224
> 39 62.77.162.9 224
> 40 72.36.139.242 191
> 41 207.195.79.250 176
> 42 217.98.12.118 176
> 43 198.54.202.182 176
> 44 88.40.197.18 175
> 45 64.78.22.100 168
> 46 217.188.47.4 154
> 47 68.179.9.105 151
> 48 195.229.237.38 150
> 49 213.132.250.2 136
> 50 208.21.38.66 136
>
> In other words, if people downloaded the sigs every hour, each ip should
> only have 24 hits....as you can see, the above ips are WAY over that.
> Checking the log in detail... it's seems people are setting the download
> scripts to download every second.... all adding up to: 45,554 hits an hour,
> add the fact that 45,554 hits would run a php script... guess that's why the
> cpu usage was so high on a shared server and then got suspended.
>
> Signature Note:
>
> People have decided to mirror the last version of the public signatures:
>
> 1. The signatures were removed and a placeholder signature added, so that
> hopefully people would quickly notice that their scripts needed to be
> changed... as the server is still getting hammered by wget/curl requests
> (approx 45,554 hits per hour)
>
> 2. NO SUPPORT will be given on these unofficially mirrored signatures, in
> fact these mirrored signatures are already out of date, some false positives
> have already been corrected and new signatures have already been added to my
> private version of the signatures.
>
> Hope that helps,
>
> Steve
> Sanesecurity
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
--
"Dru"
To follow the path, look to the master, follow the master, walk with
the master, see through the master, become the master. (zen)
http://www.topdog.za.net/
More information about the MailScanner
mailing list