mirror of
https://github.com/rspamd/rspamd.git
synced 2024-09-13 15:45:47 +02:00
472 lines
8.2 KiB
Lua
472 lines
8.2 KiB
Lua
--[[
|
|
Copyright (c) 2019, Vsevolod Stakhov <vsevolod@highsecure.ru>
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
]]--
|
|
|
|
--[[[
|
|
-- @module lua_magic/patterns
|
|
-- This module contains most common patterns
|
|
--]]
|
|
|
|
local heuristics = require "lua_magic/heuristics"
|
|
|
|
local patterns = {
|
|
pdf = {
|
|
-- These are alternatives
|
|
matches = {
|
|
{
|
|
string = [[%PDF-[12]\.\d]],
|
|
position = {'<=', 1024},
|
|
weight = 60,
|
|
heuristic = heuristics.pdf_format_heuristic
|
|
},
|
|
{
|
|
string = [[%FDF-[12]\.\d]],
|
|
position = {'<=', 1024},
|
|
weight = 60,
|
|
heuristic = heuristics.pdf_format_heuristic
|
|
},
|
|
},
|
|
},
|
|
ps = {
|
|
matches = {
|
|
{
|
|
string = [[%!PS-Adobe]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
},
|
|
},
|
|
-- RTF document
|
|
rtf = {
|
|
matches = {
|
|
{
|
|
string = [[^{\\rt]],
|
|
position = 4,
|
|
weight = 60,
|
|
}
|
|
}
|
|
},
|
|
chm = {
|
|
matches = {
|
|
{
|
|
string = [[ITSF]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
}
|
|
}
|
|
},
|
|
djvu = {
|
|
matches = {
|
|
{
|
|
string = [[AT&TFORM]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
string = [[DJVM]],
|
|
relative_position = 0x0c,
|
|
weight = 60,
|
|
}
|
|
}
|
|
},
|
|
-- MS Office format, needs heuristic
|
|
ole = {
|
|
matches = {
|
|
{
|
|
hex = [[d0cf11e0a1b11ae1]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
heuristic = heuristics.ole_format_heuristic
|
|
}
|
|
}
|
|
},
|
|
-- MS Exe file
|
|
exe = {
|
|
matches = {
|
|
{
|
|
string = [[MZ]],
|
|
relative_position = 0,
|
|
weight = 15,
|
|
},
|
|
-- PE part
|
|
{
|
|
string = [[PE\x{00}\x{00}]],
|
|
position = {'>=', 0x3c + 4},
|
|
weight = 15,
|
|
heuristic = heuristics.pe_part_heuristic,
|
|
}
|
|
}
|
|
},
|
|
elf = {
|
|
matches = {
|
|
{
|
|
hex = [[7f454c46]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
lnk = {
|
|
matches = {
|
|
{
|
|
hex = [[4C0000000114020000000000C000000000000046]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
bat = {
|
|
matches = {
|
|
{
|
|
string = [[(?i)@\s*ECHO\s+OFF]],
|
|
position = {'>=', 0},
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
class = {
|
|
-- Technically, this also matches MachO files, but I don't care about
|
|
-- Apple and their mental health problems here: just consider Java files,
|
|
-- Mach object files and all other cafe babes as bad and block them!
|
|
matches = {
|
|
{
|
|
hex = [[cafebabe]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
ics = {
|
|
matches = {
|
|
{
|
|
string = [[BEGIN:VCALENDAR]],
|
|
weight = 60,
|
|
relative_position = 0,
|
|
}
|
|
}
|
|
},
|
|
vcf = {
|
|
matches = {
|
|
{
|
|
string = [[BEGIN:VCARD]],
|
|
weight = 60,
|
|
relative_position = 0,
|
|
}
|
|
}
|
|
},
|
|
-- Archives
|
|
arj = {
|
|
matches = {
|
|
{
|
|
hex = '60EA',
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
ace = {
|
|
matches = {
|
|
{
|
|
string = [[\*\*ACE\*\*]],
|
|
position = 14,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
cab = {
|
|
matches = {
|
|
{
|
|
hex = [[4d53434600000000]], -- Can be anywhere for SFX :(
|
|
position = {'>=', 8},
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
tar = {
|
|
matches = {
|
|
{
|
|
string = [[ustar]],
|
|
relative_position = 257,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
bz2 = {
|
|
matches = {
|
|
{
|
|
string = "^BZ[h0]",
|
|
position = 3,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
lz4 = {
|
|
matches = {
|
|
{
|
|
hex = "04224d18",
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = "03214c18",
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = "02214c18",
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
-- MozLZ4
|
|
hex = '6d6f7a4c7a343000',
|
|
relative_position = 0,
|
|
weight = 60,
|
|
}
|
|
}
|
|
},
|
|
zst = {
|
|
matches = {
|
|
{
|
|
string = [[^[\x{22}-\x{40}]\x{B5}\x{2F}\x{FD}]],
|
|
position = 4,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
zoo = {
|
|
matches = {
|
|
{
|
|
hex = [[dca7c4fd]],
|
|
relative_position = 20,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
xar = {
|
|
matches = {
|
|
{
|
|
string = [[xar!]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
iso = {
|
|
matches = {
|
|
{
|
|
string = [[\x{01}CD001\x{01}]],
|
|
position = {'>=', 0x8000 + 7}, -- first 32k is unused
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
egg = {
|
|
-- ALZip egg
|
|
matches = {
|
|
{
|
|
string = [[EGGA]],
|
|
weight = 60,
|
|
relative_position = 0,
|
|
},
|
|
}
|
|
},
|
|
alz = {
|
|
-- ALZip alz
|
|
matches = {
|
|
{
|
|
string = [[ALZ\x{01}]],
|
|
weight = 60,
|
|
relative_position = 0,
|
|
},
|
|
}
|
|
},
|
|
-- Apple is a 'special' child: this needs to be matched at the data tail...
|
|
dmg = {
|
|
matches = {
|
|
{
|
|
string = [[koly\x{00}\x{00}\x{00}\x{04}]],
|
|
position = -512 + 8,
|
|
weight = 61,
|
|
tail = 512,
|
|
},
|
|
}
|
|
},
|
|
szdd = {
|
|
matches = {
|
|
{
|
|
hex = [[535a4444]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
xz = {
|
|
matches = {
|
|
{
|
|
hex = [[FD377A585A00]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
-- Images
|
|
psd = {
|
|
matches = {
|
|
{
|
|
string = [[8BPS]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
ico = {
|
|
matches = {
|
|
{
|
|
hex = [[00000100]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
pcx = {
|
|
matches = {
|
|
{
|
|
hex = [[0A050108]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
pic = {
|
|
matches = {
|
|
{
|
|
hex = [[FF80C9C71A00]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
swf = {
|
|
matches = {
|
|
{
|
|
hex = [[5a5753]], -- LZMA
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = [[435753]], -- Zlib
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = [[465753]], -- Uncompressed
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
tiff = {
|
|
matches = {
|
|
{
|
|
hex = [[49492a00]], -- LE encoded
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = [[4d4d]], -- BE tiff
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
-- Other
|
|
pgp = {
|
|
matches = {
|
|
{
|
|
hex = [[A803504750]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
hex = [[2D424547494E20504750204D4553534147452D]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
uue = {
|
|
matches = {
|
|
{
|
|
hex = [[626567696e20]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
dwg = {
|
|
matches = {
|
|
{
|
|
string = '^AC10[12][2-9]',
|
|
position = 6,
|
|
weight = 60,
|
|
}
|
|
}
|
|
},
|
|
jpg = {
|
|
matches = {
|
|
{ -- JPEG2000
|
|
hex = [[0000000c6a5020200d0a870a]],
|
|
relative_position = 0,
|
|
weight = 60,
|
|
},
|
|
{
|
|
string = [[^\x{ff}\x{d8}\x{ff}]],
|
|
weight = 60,
|
|
position = 3,
|
|
},
|
|
},
|
|
},
|
|
png = {
|
|
matches = {
|
|
{
|
|
string = [[^\x{89}PNG\x{0d}\x{0a}\x{1a}\x{0a}]],
|
|
position = 8,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
gif = {
|
|
matches = {
|
|
{
|
|
string = [[^GIF8\d]],
|
|
position = 5,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
bmp = {
|
|
matches = {
|
|
{
|
|
string = [[^BM...\x{00}\x{00}\x{00}\x{00}]],
|
|
position = 9,
|
|
weight = 60,
|
|
},
|
|
}
|
|
},
|
|
}
|
|
|
|
return patterns
|