mirror of
https://github.com/rspamd/rspamd.git
synced 2024-08-07 09:05:58 +02:00
[Minor] lua_scanners - adopt excrypted / macro support
This commit is contained in:
parent
f6f3788672
commit
e45b99bdb6
@ -140,6 +140,10 @@ local function clamav_check(task, content, digest, rule)
|
|||||||
rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
|
rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
|
||||||
common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
|
common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
|
||||||
cached = 'encrypted'
|
cached = 'encrypted'
|
||||||
|
elseif string.find(vname, '^Heuristics%.OLE2%.ContainsMacros') then
|
||||||
|
rspamd_logger.errx(task, '%s: ClamAV Found an OLE2 Office Macro', rule.log_prefix)
|
||||||
|
common.yield_result(task, rule, vname, 0.0, 'macro')
|
||||||
|
elseif vname then
|
||||||
elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
|
elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
|
||||||
rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
|
rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
|
||||||
common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
|
common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
|
||||||
|
@ -184,6 +184,11 @@ local function oletools_check(task, content, digest, rule)
|
|||||||
end
|
end
|
||||||
elseif result[3]['return_code'] == 9 then
|
elseif result[3]['return_code'] == 9 then
|
||||||
rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix)
|
rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix)
|
||||||
|
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'encrypted')
|
||||||
|
common.save_cache(task, digest, rule, 'encrypted')
|
||||||
|
elseif result[3]['return_code'] == 5 then
|
||||||
|
rspamd_logger.warnx(task, '%s: olefy could not open the file - error: %s', rule.log_prefix,
|
||||||
|
result[2]['message'])
|
||||||
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail')
|
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail')
|
||||||
elseif result[3]['return_code'] > 6 then
|
elseif result[3]['return_code'] > 6 then
|
||||||
rspamd_logger.errx(task, '%s: Error Returned: %s',
|
rspamd_logger.errx(task, '%s: Error Returned: %s',
|
||||||
@ -196,7 +201,7 @@ local function oletools_check(task, content, digest, rule)
|
|||||||
rule.log_prefix, result[2]['message'])
|
rule.log_prefix, result[2]['message'])
|
||||||
oletools_requery(oletools_rc[result[3]['return_code']])
|
oletools_requery(oletools_rc[result[3]['return_code']])
|
||||||
elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0
|
elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0
|
||||||
and #result[2]['macros'] == 0 then
|
and #result[2]['macros'] == 0 then
|
||||||
rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix)
|
rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix)
|
||||||
common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail')
|
common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail')
|
||||||
elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then
|
elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then
|
||||||
|
@ -87,7 +87,6 @@ local function add_antivirus_rule(sym, opts)
|
|||||||
if not opts.symbol_fail then
|
if not opts.symbol_fail then
|
||||||
opts.symbol_fail = opts.symbol .. '_FAIL'
|
opts.symbol_fail = opts.symbol .. '_FAIL'
|
||||||
end
|
end
|
||||||
|
|
||||||
if not opts.symbol_encrypted then
|
if not opts.symbol_encrypted then
|
||||||
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
|
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
|
||||||
end
|
end
|
||||||
|
@ -136,8 +136,14 @@ local function add_scanner_rule(sym, opts)
|
|||||||
|
|
||||||
rule.type = opts.type
|
rule.type = opts.type
|
||||||
|
|
||||||
if not rule.symbol_fail then
|
if not opts.symbol_fail then
|
||||||
rule.symbol_fail = opts.symbol .. '_FAIL'
|
opts.symbol_fail = opts.symbol .. '_FAIL'
|
||||||
|
end
|
||||||
|
if not opts.symbol_encrypted then
|
||||||
|
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
|
||||||
|
end
|
||||||
|
if not opts.symbol_macro then
|
||||||
|
opts.symbol_macro = opts.symbol .. '_MACRO'
|
||||||
end
|
end
|
||||||
|
|
||||||
rule.redis_params = redis_params
|
rule.redis_params = redis_params
|
||||||
@ -215,12 +221,26 @@ if opts and type(opts) == 'table' then
|
|||||||
local id = rspamd_config:register_symbol(t)
|
local id = rspamd_config:register_symbol(t)
|
||||||
|
|
||||||
rspamd_config:register_symbol({
|
rspamd_config:register_symbol({
|
||||||
type = 'virtual,nostat',
|
type = 'virtual',
|
||||||
name = m['symbol_fail'],
|
name = m['symbol_fail'],
|
||||||
parent = id,
|
parent = id,
|
||||||
score = 0.0,
|
score = 0.0,
|
||||||
group = N
|
group = N
|
||||||
})
|
})
|
||||||
|
rspamd_config:register_symbol({
|
||||||
|
type = 'virtual',
|
||||||
|
name = m['symbol_encrypted'],
|
||||||
|
parent = id,
|
||||||
|
score = 0.0,
|
||||||
|
group = N
|
||||||
|
})
|
||||||
|
rspamd_config:register_symbol({
|
||||||
|
type = 'virtual',
|
||||||
|
name = m['symbol_macro'],
|
||||||
|
parent = id,
|
||||||
|
score = 0.0,
|
||||||
|
group = N
|
||||||
|
})
|
||||||
has_valid = true
|
has_valid = true
|
||||||
if type(m['patterns']) == 'table' then
|
if type(m['patterns']) == 'table' then
|
||||||
if m['patterns'][1] then
|
if m['patterns'][1] then
|
||||||
|
Loading…
Reference in New Issue
Block a user