mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21266 Commits
29 Branches
Tree: 90b73439d2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '90b73439d2'
${ noResults }
rspamd/lualib/lua_magic/patterns.lua

patterns.lua 8.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. --[[[

  18. -- @module lua_magic/patterns

  19. -- This module contains most common patterns

  20. --]]

  21. 

  22. local heuristics = require "lua_magic/heuristics"

  23. 

  24. local patterns = {

  25.   pdf = {

  26.     -- These are alternatives

  27.     matches = {

  28.       {

  29.         string = [[%PDF-[12]\.\d]],

  30.         position = { '<=', 1024 },

  31.         weight = 60,

  32.         heuristic = heuristics.pdf_format_heuristic

  33.       },

  34.       {

  35.         string = [[%FDF-[12]\.\d]],

  36.         position = { '<=', 1024 },

  37.         weight = 60,

  38.         heuristic = heuristics.pdf_format_heuristic

  39.       },

  40.     },

  41.   },

  42.   ps = {

  43.     matches = {

  44.       {

  45.         string = [[%!PS-Adobe]],

  46.         relative_position = 0,

  47.         weight = 60,

  48.       },

  49.     },

  50.   },

  51.   -- RTF document

  52.   rtf = {

  53.     matches = {

  54.       {

  55.         string = [[^{\\rt]],

  56.         position = 4,

  57.         weight = 60,

  58.       }

  59.     }

  60.   },

  61.   chm = {

  62.     matches = {

  63.       {

  64.         string = [[ITSF]],

  65.         relative_position = 0,

  66.         weight = 60,

  67.       }

  68.     }

  69.   },

  70.   djvu = {

  71.     matches = {

  72.       {

  73.         string = [[AT&TFORM]],

  74.         relative_position = 0,

  75.         weight = 60,

  76.       },

  77.       {

  78.         string = [[DJVM]],

  79.         relative_position = 0x0c,

  80.         weight = 60,

  81.       }

  82.     }

  83.   },

  84.   -- MS Office format, needs heuristic

  85.   ole = {

  86.     matches = {

  87.       {

  88.         hex = [[d0cf11e0a1b11ae1]],

  89.         relative_position = 0,

  90.         weight = 60,

  91.         heuristic = heuristics.ole_format_heuristic

  92.       }

  93.     }

  94.   },

  95.   -- MS Exe file

  96.   exe = {

  97.     matches = {

  98.       {

  99.         string = [[MZ]],

  100.         relative_position = 0,

  101.         weight = 15,

  102.       },

  103.       -- PE part

  104.       {

  105.         string = [[PE\x{00}\x{00}]],

  106.         position = { '>=', 0x3c + 4 },

  107.         weight = 15,

  108.         heuristic = heuristics.pe_part_heuristic,

  109.       }

  110.     }

  111.   },

  112.   elf = {

  113.     matches = {

  114.       {

  115.         hex = [[7f454c46]],

  116.         relative_position = 0,

  117.         weight = 60,

  118.       },

  119.     }

  120.   },

  121.   lnk = {

  122.     matches = {

  123.       {

  124.         hex = [[4C0000000114020000000000C000000000000046]],

  125.         relative_position = 0,

  126.         weight = 60,

  127.       },

  128.     }

  129.   },

  130.   bat = {

  131.     matches = {

  132.       {

  133.         string = [[(?i)@\s*ECHO\s+OFF]],

  134.         position = { '>=', 0 },

  135.         weight = 60,

  136.       },

  137.     }

  138.   },

  139.   class = {

  140.     -- Technically, this also matches MachO files, but I don't care about

  141.     -- Apple and their mental health problems here: just consider Java files,

  142.     -- Mach object files and all other cafe babes as bad and block them!

  143.     matches = {

  144.       {

  145.         hex = [[cafebabe]],

  146.         relative_position = 0,

  147.         weight = 60,

  148.       },

  149.     }

  150.   },

  151.   ics = {

  152.     matches = {

  153.       {

  154.         string = [[BEGIN:VCALENDAR]],

  155.         weight = 60,

  156.         relative_position = 0,

  157.       }

  158.     }

  159.   },

  160.   vcf = {

  161.     matches = {

  162.       {

  163.         string = [[BEGIN:VCARD]],

  164.         weight = 60,

  165.         relative_position = 0,

  166.       }

  167.     }

  168.   },

  169.   -- Archives

  170.   arj = {

  171.     matches = {

  172.       {

  173.         hex = '60EA',

  174.         relative_position = 0,

  175.         weight = 60,

  176.       },

  177.     }

  178.   },

  179.   ace = {

  180.     matches = {

  181.       {

  182.         string = [[\*\*ACE\*\*]],

  183.         position = 14,

  184.         weight = 60,

  185.       },

  186.     }

  187.   },

  188.   cab = {

  189.     matches = {

  190.       {

  191.         hex = [[4d53434600000000]], -- Can be anywhere for SFX :(

  192.         position = { '>=', 8 },

  193.         weight = 60,

  194.       },

  195.     }

  196.   },

  197.   tar = {

  198.     matches = {

  199.       {

  200.         string = [[ustar]],

  201.         relative_position = 257,

  202.         weight = 60,

  203.       },

  204.     }

  205.   },

  206.   bz2 = {

  207.     matches = {

  208.       {

  209.         string = "^BZ[h0]",

  210.         position = 3,

  211.         weight = 60,

  212.       },

  213.     }

  214.   },

  215.   lz4 = {

  216.     matches = {

  217.       {

  218.         hex = "04224d18",

  219.         relative_position = 0,

  220.         weight = 60,

  221.       },

  222.       {

  223.         hex = "03214c18",

  224.         relative_position = 0,

  225.         weight = 60,

  226.       },

  227.       {

  228.         hex = "02214c18",

  229.         relative_position = 0,

  230.         weight = 60,

  231.       },

  232.       {

  233.         -- MozLZ4

  234.         hex = '6d6f7a4c7a343000',

  235.         relative_position = 0,

  236.         weight = 60,

  237.       }

  238.     }

  239.   },

  240.   zst = {

  241.     matches = {

  242.       {

  243.         string = [[^[\x{22}-\x{40}]\x{B5}\x{2F}\x{FD}]],

  244.         position = 4,

  245.         weight = 60,

  246.       },

  247.     }

  248.   },

  249.   zoo = {

  250.     matches = {

  251.       {

  252.         hex = [[dca7c4fd]],

  253.         relative_position = 20,

  254.         weight = 60,

  255.       },

  256.     }

  257.   },

  258.   xar = {

  259.     matches = {

  260.       {

  261.         string = [[xar!]],

  262.         relative_position = 0,

  263.         weight = 60,

  264.       },

  265.     }

  266.   },

  267.   iso = {

  268.     matches = {

  269.       {

  270.         string = [[\x{01}CD001\x{01}]],

  271.         position = { '>=', 0x8000 + 7 }, -- first 32k is unused

  272.         weight = 60,

  273.       },

  274.     }

  275.   },

  276.   egg = {

  277.     -- ALZip egg

  278.     matches = {

  279.       {

  280.         string = [[EGGA]],

  281.         weight = 60,

  282.         relative_position = 0,

  283.       },

  284.     }

  285.   },

  286.   alz = {

  287.     -- ALZip alz

  288.     matches = {

  289.       {

  290.         string = [[ALZ\x{01}]],

  291.         weight = 60,

  292.         relative_position = 0,

  293.       },

  294.     }

  295.   },

  296.   -- Apple is a 'special' child: this needs to be matched at the data tail...

  297.   dmg = {

  298.     matches = {

  299.       {

  300.         string = [[koly\x{00}\x{00}\x{00}\x{04}]],

  301.         position = -512 + 8,

  302.         weight = 61,

  303.         tail = 512,

  304.       },

  305.     }

  306.   },

  307.   szdd = {

  308.     matches = {

  309.       {

  310.         hex = [[535a4444]],

  311.         relative_position = 0,

  312.         weight = 60,

  313.       },

  314.     }

  315.   },

  316.   xz = {

  317.     matches = {

  318.       {

  319.         hex = [[FD377A585A00]],

  320.         relative_position = 0,

  321.         weight = 60,

  322.       },

  323.     }

  324.   },

  325.   -- Images

  326.   psd = {

  327.     matches = {

  328.       {

  329.         string = [[8BPS]],

  330.         relative_position = 0,

  331.         weight = 60,

  332.       },

  333.     }

  334.   },

  335.   ico = {

  336.     matches = {

  337.       {

  338.         hex = [[00000100]],

  339.         relative_position = 0,

  340.         weight = 60,

  341.       },

  342.     }

  343.   },

  344.   pcx = {

  345.     matches = {

  346.       {

  347.         hex = [[0A050108]],

  348.         relative_position = 0,

  349.         weight = 60,

  350.       },

  351.     }

  352.   },

  353.   pic = {

  354.     matches = {

  355.       {

  356.         hex = [[FF80C9C71A00]],

  357.         relative_position = 0,

  358.         weight = 60,

  359.       },

  360.     }

  361.   },

  362.   swf = {

  363.     matches = {

  364.       {

  365.         hex = [[5a5753]], -- LZMA

  366.         relative_position = 0,

  367.         weight = 60,

  368.       },

  369.       {

  370.         hex = [[435753]], -- Zlib

  371.         relative_position = 0,

  372.         weight = 60,

  373.       },

  374.       {

  375.         hex = [[465753]], -- Uncompressed

  376.         relative_position = 0,

  377.         weight = 60,

  378.       },

  379.     }

  380.   },

  381.   tiff = {

  382.     matches = {

  383.       {

  384.         hex = [[49492a00]], -- LE encoded

  385.         relative_position = 0,

  386.         weight = 60,

  387.       },

  388.       {

  389.         hex = [[4d4d]], -- BE tiff

  390.         relative_position = 0,

  391.         weight = 60,

  392.       },

  393.     }

  394.   },

  395.   -- Other

  396.   pgp = {

  397.     matches = {

  398.       {

  399.         hex = [[A803504750]],

  400.         relative_position = 0,

  401.         weight = 60,

  402.       },

  403.       {

  404.         hex = [[2D424547494E20504750204D4553534147452D]],

  405.         relative_position = 0,

  406.         weight = 60,

  407.       },

  408.     }

  409.   },

  410.   uue = {

  411.     matches = {

  412.       {

  413.         hex = [[626567696e20]],

  414.         relative_position = 0,

  415.         weight = 60,

  416.       },

  417.     }

  418.   },

  419.   dwg = {

  420.     matches = {

  421.       {

  422.         string = '^AC10[12][2-9]',

  423.         position = 6,

  424.         weight = 60,

  425.       }

  426.     }

  427.   },

  428.   jpg = {

  429.     matches = {

  430.       { -- JPEG2000

  431.         hex = [[0000000c6a5020200d0a870a]],

  432.         relative_position = 0,

  433.         weight = 60,

  434.       },

  435.       {

  436.         string = [[^\x{ff}\x{d8}\x{ff}]],

  437.         weight = 60,

  438.         position = 3,

  439.       },

  440.     },

  441.   },

  442.   png = {

  443.     matches = {

  444.       {

  445.         string = [[^\x{89}PNG\x{0d}\x{0a}\x{1a}\x{0a}]],

  446.         position = 8,

  447.         weight = 60,

  448.       },

  449.     }

  450.   },

  451.   gif = {

  452.     matches = {

  453.       {

  454.         string = [[^GIF8\d]],

  455.         position = 5,

  456.         weight = 60,

  457.       },

  458.     }

  459.   },

  460.   bmp = {

  461.     matches = {

  462.       {

  463.         string = [[^BM...\x{00}\x{00}\x{00}\x{00}]],

  464.         position = 9,

  465.         weight = 60,

  466.       },

  467.     }

  468.   },

  469. }

  470. 

  471. return patterns