From: Vsevolod Stakhov Date: Fri, 6 Sep 2019 17:03:19 +0000 (+0100) Subject: [Project] Lua_magic: Moar patterns X-Git-Tag: 2.0~263 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=0d5d24b15877bce801381da5b161d62a4ef0bae9;p=rspamd.git [Project] Lua_magic: Moar patterns --- diff --git a/lualib/lua_magic/patterns.lua b/lualib/lua_magic/patterns.lua index a52baa790..dd723f6e8 100644 --- a/lualib/lua_magic/patterns.lua +++ b/lualib/lua_magic/patterns.lua @@ -98,6 +98,36 @@ local patterns = { } } }, + elf = { + matches = { + { + hex = [[7f454c46]], + relative_position = 0, + weight = 60, + }, + } + }, + lnk = { + matches = { + { + hex = [[4C0000000114020000000000C000000000000046]], + relative_position = 0, + weight = 60, + }, + } + }, + class = { + -- Technically, this also matches MachO files, but I don't care about + -- Apple and their mental health problems here: just consider Java files, + -- Mach object files and all other cafe babes as bad and block them! + matches = { + { + hex = [[cafebabe]], + relative_position = 0, + weight = 60, + }, + } + }, -- Archives arj = { matches = { @@ -120,7 +150,82 @@ local patterns = { cab = { matches = { { - string = [[MSCF]], + hex = [[4d53434600000000]], -- Can be anywhere for SFX :( + position = {'>=', 8}, + weight = 60, + }, + } + }, + tar = { + matches = { + { + string = [[ustar]], + relative_position = 257, + weight = 60, + }, + } + }, + bz2 = { + matches = { + { + string = "BZ[h0]", + position = 3, + weight = 60, + }, + } + }, + lz4 = { + matches = { + { + hex = "184d2204", + relative_position = 0, + weight = 60, + }, + { + hex = "184c2103", + relative_position = 0, + weight = 60, + }, + { + hex = "184c2102", + relative_position = 0, + weight = 60, + }, + } + }, + zst = { + matches = { + { + string = [[\x{FD}\x{2F}\x{B5}[\x{22}-\x{40}].]], + position = 5, -- includes last . + weight = 60, + }, + } + }, + -- Apple is a 'special' child: this needs to be matched at the data tail... + dmg = { + matches = { + { + string = [[koly]], + position = -512 + 4, + weight = 61, + tail = 512, + }, + } + }, + szdd = { + matches = { + { + hex = [[535a4444]], + relative_position = 0, + weight = 60, + }, + } + }, + xz = { + matches = { + { + hex = [[FD377A585A00]], relative_position = 0, weight = 60, }, @@ -163,6 +268,39 @@ local patterns = { }, } }, + swf = { + matches = { + { + hex = [[5a5753]], -- LZMA + relative_position = 0, + weight = 60, + }, + { + hex = [[435753]], -- Zlib + relative_position = 0, + weight = 60, + }, + { + hex = [[465753]], -- Uncompressed + relative_position = 0, + weight = 60, + }, + } + }, + tiff = { + matches = { + { + hex = [[49492a00]], -- LE encoded + relative_position = 0, + weight = 60, + }, + { + hex = [[4d4d]], -- BE tiff + relative_position = 0, + weight = 60, + }, + } + }, -- Other pgp = { matches = { @@ -177,7 +315,16 @@ local patterns = { weight = 60, }, } - } + }, + uue = { + matches = { + { + hex = [[626567696e20]], + relative_position = 0, + weight = 60, + }, + } + }, } return patterns \ No newline at end of file diff --git a/lualib/lua_magic/types.lua b/lualib/lua_magic/types.lua index 667296715..20089c9c2 100644 --- a/lualib/lua_magic/types.lua +++ b/lualib/lua_magic/types.lua @@ -27,6 +27,18 @@ local types = { ct = 'application/x-ms-application', type = 'executable', }, + elf = { + ct = 'application/x-elf-executable', + type = 'executable', + }, + lnk = { + ct = 'application/x-ms-application', + type = 'executable', + }, + class = { + ct = 'application/x-java-applet', + type = 'executable', + }, -- text rtf = { ct = "application/rtf", @@ -41,23 +53,51 @@ local types = { type = 'binary', }, chm = { - ct = 'application/chm', + ct = 'application/x-chm', type = 'binary', }, djvu = { - ct = 'application/djvu', + ct = 'application/x-djvu', type = 'binary', }, -- archives arj = { - ct = 'application/x-compressed', + ct = 'application/x-arj', type = 'archive', }, cab = { - ct = 'application/x-compressed', + ct = 'application/x-cab', type = 'archive', }, ace = { + ct = 'application/x-ace', + type = 'archive', + }, + tar = { + ct = 'application/x-tar', + type = 'archive', + }, + bz2 = { + ct = 'application/x-bzip', + type = 'archive', + }, + xz = { + ct = 'application/x-xz', + type = 'archive', + }, + lz4 = { + ct = 'application/x-lz4', + type = 'archive', + }, + zst = { + ct = 'application/x-zstandard', + type = 'archive', + }, + dmg = { + ct = 'application/x-dmg', + type = 'archive', + }, + szdd = { -- in fact, their MSDOS extension is like FOO.TX_ or FOO.TX$ ct = 'application/x-compressed', type = 'archive', }, @@ -82,11 +122,19 @@ local types = { ct = 'image/ico', type = 'image', }, + swf = { + ct = 'application/x-shockwave-flash', + type = 'image', + }, -- other pgp = { ct = 'application/encrypted', type = 'encrypted' - } + }, + uue = { + ct = 'application/x-uuencoded', + type = 'binary', + }, } return types \ No newline at end of file