SPAMVIRUS Feature Question

Richard Mealing richard at fastnet.co.uk
Fri Oct 23 10:25:29 IST 2009


Hi Jonas,


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jonas
A. Larsen
Sent: 22 October 2009 21:13
To: 'MailScanner discussion'
Subject: RE: SPAMVIRUS Feature Question

Hi Richard

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Richard Mealing
> Sent: 21. oktober 2009 10:15
> To: MailScanner discussion
> Subject: RE: SPAMVIRUS Feature Question
> 
> Hi,
> 
> Not sure if this will help anyone, but I already did write a ton of
> rules with the help of Jules...
> 
> #Sanesecurity Signature (jurlbl.ndb)
> header SPAMVIRUSJurlbl.Auto X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Jurlbl.Auto/i
> score SPAMVIRUSJurlbl.Auto 3.0
> 
> #SaneSecurity Signature (phish.ndb)
> header SPAMVIRUSDoc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Doc/i
> score SPAMVIRUSDoc 3.0
> header SPAMVIRUSFake X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Fake/i
> score SPAMVIRUSFake 3.0
> header SPAMVIRUSPhishing.Auction
X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.Auction/i
> score SPAMVIRUSPhishing.Auction 3.0
> header SPAMVIRUSPhishing.Azon X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Azon/i
> score SPAMVIRUSPhishing.Azon 3.0
> header SPAMVIRUSPhishing.Bank X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Bank/i
> score SPAMVIRUSPhishing.Bank 3.0
> header SPAMVIRUSPhishing.Card X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Card/i
> score SPAMVIRUSPhishing.Card 3.0
> header SPAMVIRUSPhishing.Cur X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Cur/i
> score SPAMVIRUSPhishing.Cur 3.0
> header SPAMVIRUSPhishing.Dca X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Dca/i
> score SPAMVIRUSPhishing.Dca 3.0
> header SPAMVIRUSPhishing.Fake X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Fake/i
> score SPAMVIRUSPhishing.Fake 3.0
> header SPAMVIRUSPhishing.GiftCard X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /SaneSecurity.Phishing.GiftCard/i
> score SPAMVIRUSPhishing.GiftCard 3.0
> header SPAMVIRUSPhishing.Hex X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Hex/i
> score SPAMVIRUSPhishing.Hex 3.0
> header SPAMVIRUSPhishing.Ivt X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Ivt/i
> score SPAMVIRUSPhishing.Ivt 3.0
> header SPAMVIRUSPhishing.Jsc X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Jsc/i
> score SPAMVIRUSPhishing.Jsc 3.0
> header SPAMVIRUSPhishing.Nam X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Nam/i
> score SPAMVIRUSPhishing.Nam 3.0
> header SPAMVIRUSPhishing.Onf X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Onf/i
> score SPAMVIRUSPhishing.Onf 3.0
> header SPAMVIRUSPhishing.Pay X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Pay/i
> score SPAMVIRUSPhishing.Pay 3.0
> header SPAMVIRUSPhishing.Rdi X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Rdi/i
> score SPAMVIRUSPhishing.Rdi 3.0
> header SPAMVIRUSPhishing.Rock X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Rock/i
> score SPAMVIRUSPhishing.Rock 3.0
> header SPAMVIRUSPhishing.RockGen
X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.Phishing.RockGen/i
> score SPAMVIRUSPhishing.RockGen 3.0
> header SPAMVIRUSPhishing.Shop X-FastNet-MailScanner-SpamVirus-Report
=~
> /SaneSecurity.Phishing.Shop/i
> score SPAMVIRUSPhishing.Shop 3.0
> header SPAMVIRUSPhishing.Slw X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Slw/i
> score SPAMVIRUSPhishing.Slw 3.0
> header SPAMVIRUSPhishing.Url X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Url/i
> score SPAMVIRUSPhishing.Url 3.0
> header SPAMVIRUSPhishing.Wrd X-FastNet-MailScanner-SpamVirus-Report =~
> /SaneSecurity.Phishing.Wrd/i
> score SPAMVIRUSPhishing.Wrd 3.0
> header SPAMVIRUSPhishingTestSig X-FastNet-MailScanner-SpamVirus-Report
> =~ /SaneSecurity.PhishingTestSig/i
> score SPAMVIRUSPhishingTestSig 3.0
> header SPAMVIRUSTestSig_Type3_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type3_Bdy/i
> score SPAMVIRUSTestSig_Type3_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Bdy X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Bdy/i
> score SPAMVIRUSTestSig_Type4_Bdy 3.0
> header SPAMVIRUSTestSig_Type4_Hdr X-FastNet-MailScanner-SpamVirus-
> Report
> =~ /TestSig_Type4_Hdr/i
> score SPAMVIRUSTestSig_Type4_Hdr 3.0
> 
> #SaneSecurity Signature (scam.ndb)
> header SPAMVIRUSSpam X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam/i
> score SPAMVIRUSSpam 3.0
> header SPAMVIRUSCred X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Cred/i
> score SPAMVIRUSCred 3.0
> header SPAMVIRUSDipl X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Dipl/i
> score SPAMVIRUSDipl 3.0
> header SPAMVIRUSHdr X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Hdr/i
> score SPAMVIRUSHdr 3.0
> header SPAMVIRUSImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Img/i
> score SPAMVIRUSImg 3.0
> header SPAMVIRUSJob X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Job/i
> score SPAMVIRUSJob 3.0
> header SPAMVIRUSLoan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Loan/i
> score SPAMVIRUSLoan 3.0
> header SPAMVIRUSPorn X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Porn/i
> score SPAMVIRUSPorn 3.0
> header SPAMVIRUSImgo X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Imgo/i
> score SPAMVIRUSImgo 3.0
> header SPAMVIRUSScam4 X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Scam4/i
> score SPAMVIRUSScam4 3.0
> header SPAMVIRUSScamL X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.ScamL/i
> score SPAMVIRUSScamL 3.0
> header SPAMVIRUSStk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Stk/i
> score SPAMVIRUSStk 3.0
> header SPAMVIRUSTestSig X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.TestSig/i
> score SPAMVIRUSTestSig 3.0
> 
> #SaneSecurity Signature (junk.ndb)
> header SPAMVIRUSJunk X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Junk/i
> score SPAMVIRUSJunk 3.0
> 
> #SaneSecurity Signature (rogue.hdb)
> header SPAMVIRUSRogue X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Rogue/i
> score SPAMVIRUSRogue 3.0
> header SPAMVIRUSTrogan X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Trojan/i
> score SPAMVIRUSTrogan 3.0
> 
> #SaneSecurity Signature (lott.ndb)
> header SPAMVIRUSLott X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Lott/i
> score SPAMVIRUSLott 3.0
> 
> #SaneSecurity Signature (spear.ndb)
> header SPAMVIRUSSpear X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spear/i
> score SPAMVIRUSSpear 3.0
> 
> #SaneSecurity Signature (spamimg.hdb)
> header SPAMVIRUSSpamImg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.SpamImg/i
> score SPAMVIRUSSpamImg 3.0
> 
> #SaneSecurity Signature (spam.ldb)
> header SPAMVIRUSSpam.ldg X-FastNet-MailScanner-SpamVirus-Report =~
> /Sanesecurity.Spam.ldb/i
> score SPAMVIRUSSpam.ldg 3.0
> 
> 
> ... if it helps.
> 


Im horribly busy at work atm, so I have not read your SA rules in
detail,
but I can guess what your doing, this is definitely better than the
normal
"1 rule for all 3rdparty sigs setup"

However it is a bit of a painfull way to do it, since u would have to
keep
it update for each signature source u add, not to mention its always a
generalization since ur matching fragments/"families" og either
signature
db's or phishing/virus families.

It would be neat if there was someway to just grab whatever clamd calls
the
signature/virus and somehow auto generate sa rules for them (in a
performance friendly manner)

Without having read all ur rules in detail, I assume there's a generic
one
somewhere that scores stuff that isn't matched by your more specific
rules?
(Unless you wrote specific rules for all your signature bases)


However as I started out saying, its definitely an improvement, and ile
implement ur rules in my own setup, when time allows it.

Best regards

Jonas Larsen




----

I'm not sure it's working how it should though, I see the following in
debug lint for sa -

[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Rdi
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Dca
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Auction
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSJurlbl.Auto
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Hex
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Nam
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Fake
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSSpam.ldg
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Card
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Url
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Slw
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.RockGen
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Azon
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Jsc
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Pay
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Wrd
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Ivt
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Bank
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Cur
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Rock
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.GiftCard
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Onf
[24853] dbg: config: warning: score set for non-existent rule
SPAMVIRUSPhishing.Shop

So these are not being used at all. I do see them in the databases
though?

And this - 

[30360] warn: config: error: rule 'SPAMVIRUSJurlbl.Auto' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Auction' has
invalid characters (not Alphanumeric + Underscore + starting with a
non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Azon' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Bank' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Card' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Cur' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Dca' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Fake' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.GiftCard' has
invalid characters (not Alphanumeric + Underscore + starting with a
non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Hex' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Ivt' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Jsc' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Nam' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Onf' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Pay' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Rdi' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Rock' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.RockGen' has
invalid characters (not Alphanumeric + Underscore + starting with a
non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Shop' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Slw' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Url' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSPhishing.Wrd' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: config: error: rule 'SPAMVIRUSSpam.ldg' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
[30360] warn: lint: 23 issues detected, please rerun with debug enabled
for more information

I've been searching and I can't find my error so far. 
Rich


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 




More information about the MailScanner mailing list