mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17607 Commits
29 Branches
Tree: 68badebdac
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '68badebdac'
${ noResults }
rspamd/lualib/lua_magic/patterns.lua

patterns.lua 7.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452 
  1. --[[

  2. Copyright (c) 2019, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. --[[[

  18. -- @module lua_magic/patterns

  19. -- This module contains most common patterns

  20. --]]

  21. 

  22. local heuristics = require "lua_magic/heuristics"

  23. 

  24. local patterns = {

  25.   pdf = {

  26.     -- These are alternatives

  27.     matches = {

  28.       {

  29.         string = [[%PDF-[12]\.\d]],

  30.         position = {'<=', 1024},

  31.         weight = 60,

  32.         heuristic = heuristics.pdf_format_heuristic

  33.       },

  34.       {

  35.         string = [[%FDF-[12]\.\d]],

  36.         position = {'<=', 1024},

  37.         weight = 60,

  38.         heuristic = heuristics.pdf_format_heuristic

  39.       },

  40.     },

  41.   },

  42.   ps = {

  43.     matches = {

  44.       {

  45.         string = [[%!PS-Adobe]],

  46.         relative_position = 0,

  47.         weight = 60,

  48.       },

  49.     },

  50.   },

  51.   -- RTF document

  52.   rtf = {

  53.     matches = {

  54.       {

  55.         string = [[^{\\rt]],

  56.         position = 4,

  57.         weight = 60,

  58.       }

  59.     }

  60.   },

  61.   chm = {

  62.     matches = {

  63.       {

  64.         string = [[ITSF]],

  65.         relative_position = 0,

  66.         weight = 60,

  67.       }

  68.     }

  69.   },

  70.   djvu = {

  71.     matches = {

  72.       {

  73.         string = [[AT&TFORM]],

  74.         relative_position = 0,

  75.         weight = 60,

  76.       },

  77.       {

  78.         string = [[DJVM]],

  79.         relative_position = 0x0c,

  80.         weight = 60,

  81.       }

  82.     }

  83.   },

  84.   -- MS Office format, needs heuristic

  85.   ole = {

  86.     matches = {

  87.       {

  88.         hex = [[d0cf11e0a1b11ae1]],

  89.         relative_position = 0,

  90.         weight = 60,

  91.         heuristic = heuristics.ole_format_heuristic

  92.       }

  93.     }

  94.   },

  95.   -- MS Exe file

  96.   exe = {

  97.     matches = {

  98.       {

  99.         string = [[MZ]],

  100.         relative_position = 0,

  101.         weight = 15,

  102.       },

  103.       -- PE part

  104.       {

  105.         string = [[PE\x{00}\x{00}]],

  106.         position = {'>=', 0x3c + 4},

  107.         weight = 15,

  108.       }

  109.     }

  110.   },

  111.   elf = {

  112.     matches = {

  113.       {

  114.         hex = [[7f454c46]],

  115.         relative_position = 0,

  116.         weight = 60,

  117.       },

  118.     }

  119.   },

  120.   lnk = {

  121.     matches = {

  122.       {

  123.         hex = [[4C0000000114020000000000C000000000000046]],

  124.         relative_position = 0,

  125.         weight = 60,

  126.       },

  127.     }

  128.   },

  129.   bat = {

  130.     matches = {

  131.       {

  132.         string = [[(?i)@\s*ECHO\s+OFF]],

  133.         position = {'>=', 0},

  134.         weight = 60,

  135.       },

  136.     }

  137.   },

  138.   class = {

  139.     -- Technically, this also matches MachO files, but I don't care about

  140.     -- Apple and their mental health problems here: just consider Java files,

  141.     -- Mach object files and all other cafe babes as bad and block them!

  142.     matches = {

  143.       {

  144.         hex = [[cafebabe]],

  145.         relative_position = 0,

  146.         weight = 60,

  147.       },

  148.     }

  149.   },

  150.   -- Archives

  151.   arj = {

  152.     matches = {

  153.       {

  154.         hex = '60EA',

  155.         relative_position = 0,

  156.         weight = 60,

  157.       },

  158.     }

  159.   },

  160.   ace = {

  161.     matches = {

  162.       {

  163.         string = [[\*\*ACE\*\*]],

  164.         position = 14,

  165.         weight = 60,

  166.       },

  167.     }

  168.   },

  169.   cab = {

  170.     matches = {

  171.       {

  172.         hex = [[4d53434600000000]], -- Can be anywhere for SFX :(

  173.         position = {'>=', 8},

  174.         weight = 60,

  175.       },

  176.     }

  177.   },

  178.   tar = {

  179.     matches = {

  180.       {

  181.         string = [[ustar]],

  182.         relative_position = 257,

  183.         weight = 60,

  184.       },

  185.     }

  186.   },

  187.   bz2 = {

  188.     matches = {

  189.       {

  190.         string = "^BZ[h0]",

  191.         position = 3,

  192.         weight = 60,

  193.       },

  194.     }

  195.   },

  196.   lz4 = {

  197.     matches = {

  198.       {

  199.         hex = "04224d18",

  200.         relative_position = 0,

  201.         weight = 60,

  202.       },

  203.       {

  204.         hex = "03214c18",

  205.         relative_position = 0,

  206.         weight = 60,

  207.       },

  208.       {

  209.         hex = "02214c18",

  210.         relative_position = 0,

  211.         weight = 60,

  212.       },

  213.       {

  214.         -- MozLZ4

  215.         hex = '6d6f7a4c7a343000',

  216.         relative_position = 0,

  217.         weight = 60,

  218.       }

  219.     }

  220.   },

  221.   zst = {

  222.     matches = {

  223.       {

  224.         string = [[^[\x{22}-\x{40}]\x{B5}\x{2F}\x{FD}]],

  225.         position = 4,

  226.         weight = 60,

  227.       },

  228.     }

  229.   },

  230.   zoo = {

  231.     matches = {

  232.       {

  233.         hex = [[dca7c4fd]],

  234.         relative_position = 20,

  235.         weight = 60,

  236.       },

  237.     }

  238.   },

  239.   xar = {

  240.     matches = {

  241.       {

  242.         string = [[xar!]],

  243.         relative_position = 0,

  244.         weight = 60,

  245.       },

  246.     }

  247.   },

  248.   iso = {

  249.     matches = {

  250.       {

  251.         string = [[\x{01}CD001\x{01}]],

  252.         position = {'>=', 0x8000 + 7}, -- first 32k is unused

  253.         weight = 60,

  254.       },

  255.     }

  256.   },

  257.   egg = {

  258.     -- ALZip egg

  259.     matches = {

  260.       {

  261.         string = [[EGGA]],

  262.         weight = 60,

  263.         relative_position = 0,

  264.       },

  265.     }

  266.   },

  267.   alz = {

  268.     -- ALZip alz

  269.     matches = {

  270.       {

  271.         string = [[ALZ\x{01}]],

  272.         weight = 60,

  273.         relative_position = 0,

  274.       },

  275.     }

  276.   },

  277.   -- Apple is a 'special' child: this needs to be matched at the data tail...

  278.   dmg = {

  279.     matches = {

  280.       {

  281.         string = [[koly\x{00}\x{00}\x{00}\x{04}]],

  282.         position = -512 + 8,

  283.         weight = 61,

  284.         tail = 512,

  285.       },

  286.     }

  287.   },

  288.   szdd = {

  289.     matches = {

  290.       {

  291.         hex = [[535a4444]],

  292.         relative_position = 0,

  293.         weight = 60,

  294.       },

  295.     }

  296.   },

  297.   xz = {

  298.     matches = {

  299.       {

  300.         hex = [[FD377A585A00]],

  301.         relative_position = 0,

  302.         weight = 60,

  303.       },

  304.     }

  305.   },

  306.   -- Images

  307.   psd = {

  308.     matches = {

  309.       {

  310.         string = [[8BPS]],

  311.         relative_position = 0,

  312.         weight = 60,

  313.       },

  314.     }

  315.   },

  316.   ico = {

  317.     matches = {

  318.       {

  319.         hex = [[00000100]],

  320.         relative_position = 0,

  321.         weight = 60,

  322.       },

  323.     }

  324.   },

  325.   pcx = {

  326.     matches = {

  327.       {

  328.         hex = [[0A050108]],

  329.         relative_position = 0,

  330.         weight = 60,

  331.       },

  332.     }

  333.   },

  334.   pic = {

  335.     matches = {

  336.       {

  337.         hex = [[FF80C9C71A00]],

  338.         relative_position = 0,

  339.         weight = 60,

  340.       },

  341.     }

  342.   },

  343.   swf = {

  344.     matches = {

  345.       {

  346.         hex = [[5a5753]], -- LZMA

  347.         relative_position = 0,

  348.         weight = 60,

  349.       },

  350.       {

  351.         hex = [[435753]], -- Zlib

  352.         relative_position = 0,

  353.         weight = 60,

  354.       },

  355.       {

  356.         hex = [[465753]], -- Uncompressed

  357.         relative_position = 0,

  358.         weight = 60,

  359.       },

  360.     }

  361.   },

  362.   tiff = {

  363.     matches = {

  364.       {

  365.         hex = [[49492a00]], -- LE encoded

  366.         relative_position = 0,

  367.         weight = 60,

  368.       },

  369.       {

  370.         hex = [[4d4d]], -- BE tiff

  371.         relative_position = 0,

  372.         weight = 60,

  373.       },

  374.     }

  375.   },

  376.   -- Other

  377.   pgp = {

  378.     matches = {

  379.       {

  380.         hex = [[A803504750]],

  381.         relative_position = 0,

  382.         weight = 60,

  383.       },

  384.       {

  385.         hex = [[2D424547494E20504750204D4553534147452D]],

  386.         relative_position = 0,

  387.         weight = 60,

  388.       },

  389.     }

  390.   },

  391.   uue = {

  392.     matches = {

  393.       {

  394.         hex = [[626567696e20]],

  395.         relative_position = 0,

  396.         weight = 60,

  397.       },

  398.     }

  399.   },

  400.   dwg = {

  401.     matches = {

  402.       {

  403.         string = '^AC10[12][2-9]',

  404.         position = 6,

  405.         weight = 60,

  406.       }

  407.     }

  408.   },

  409.   jpg = {

  410.     matches = {

  411.       { -- JPEG2000

  412.         hex = [[0000000c6a5020200d0a870a]],

  413.         relative_position = 0,

  414.         weight = 60,

  415.       },

  416.       {

  417.         string = [[^\x{ff}\x{d8}\x{ff}]],

  418.         weight = 60,

  419.         position = 3,

  420.       },

  421.     },

  422.   },

  423.   png = {

  424.     matches = {

  425.       {

  426.         string = [[^\x{89}PNG\x{0d}\x{0a}\x{1a}\x{0a}]],

  427.         position = 8,

  428.         weight = 60,

  429.       },

  430.     }

  431.   },

  432.   gif = {

  433.     matches = {

  434.       {

  435.         string = [[^GIF8\d]],

  436.         position = 5,

  437.         weight = 60,

  438.       },

  439.     }

  440.   },

  441.   bmp = {

  442.     matches = {

  443.       {

  444.         string = [[^BM...\x{00}\x{00}\x{00}\x{00}]],

  445.         position = 9,

  446.         weight = 60,

  447.       },

  448.     }

  449.   },

  450. }

  451. 

  452. return patterns