summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCarsten Rosenberg <c.rosenberg@heinlein-support.de>2019-10-08 21:00:31 +0200
committerCarsten Rosenberg <c.rosenberg@heinlein-support.de>2019-10-08 21:00:31 +0200
commite45b99bdb699922e4558b2ff28ea5f85a8968d93 (patch)
tree4c191bd928bd457f797123f0bd5852c52420583e
parentf6f3788672ea1bc06a03e6d86e0827fee5429c0e (diff)
downloadrspamd-e45b99bdb699922e4558b2ff28ea5f85a8968d93.tar.gz
rspamd-e45b99bdb699922e4558b2ff28ea5f85a8968d93.zip
[Minor] lua_scanners - adopt excrypted / macro support
-rw-r--r--lualib/lua_scanners/clamav.lua4
-rw-r--r--lualib/lua_scanners/oletools.lua7
-rw-r--r--src/plugins/lua/antivirus.lua1
-rw-r--r--src/plugins/lua/external_services.lua26
4 files changed, 33 insertions, 5 deletions
diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua
index f95f96d92..2862ce025 100644
--- a/lualib/lua_scanners/clamav.lua
+++ b/lualib/lua_scanners/clamav.lua
@@ -140,6 +140,10 @@ local function clamav_check(task, content, digest, rule)
rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
cached = 'encrypted'
+ elseif string.find(vname, '^Heuristics%.OLE2%.ContainsMacros') then
+ rspamd_logger.errx(task, '%s: ClamAV Found an OLE2 Office Macro', rule.log_prefix)
+ common.yield_result(task, rule, vname, 0.0, 'macro')
+ elseif vname then
elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index 4bdf7747d..8474a1847 100644
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -184,6 +184,11 @@ local function oletools_check(task, content, digest, rule)
end
elseif result[3]['return_code'] == 9 then
rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix)
+ common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'encrypted')
+ common.save_cache(task, digest, rule, 'encrypted')
+ elseif result[3]['return_code'] == 5 then
+ rspamd_logger.warnx(task, '%s: olefy could not open the file - error: %s', rule.log_prefix,
+ result[2]['message'])
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail')
elseif result[3]['return_code'] > 6 then
rspamd_logger.errx(task, '%s: Error Returned: %s',
@@ -196,7 +201,7 @@ local function oletools_check(task, content, digest, rule)
rule.log_prefix, result[2]['message'])
oletools_requery(oletools_rc[result[3]['return_code']])
elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0
- and #result[2]['macros'] == 0 then
+ and #result[2]['macros'] == 0 then
rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix)
common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail')
elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 8d84887d0..4c89526a5 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -87,7 +87,6 @@ local function add_antivirus_rule(sym, opts)
if not opts.symbol_fail then
opts.symbol_fail = opts.symbol .. '_FAIL'
end
-
if not opts.symbol_encrypted then
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
end
diff --git a/src/plugins/lua/external_services.lua b/src/plugins/lua/external_services.lua
index 4858979e1..4e0ee29c9 100644
--- a/src/plugins/lua/external_services.lua
+++ b/src/plugins/lua/external_services.lua
@@ -136,8 +136,14 @@ local function add_scanner_rule(sym, opts)
rule.type = opts.type
- if not rule.symbol_fail then
- rule.symbol_fail = opts.symbol .. '_FAIL'
+ if not opts.symbol_fail then
+ opts.symbol_fail = opts.symbol .. '_FAIL'
+ end
+ if not opts.symbol_encrypted then
+ opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
+ end
+ if not opts.symbol_macro then
+ opts.symbol_macro = opts.symbol .. '_MACRO'
end
rule.redis_params = redis_params
@@ -215,12 +221,26 @@ if opts and type(opts) == 'table' then
local id = rspamd_config:register_symbol(t)
rspamd_config:register_symbol({
- type = 'virtual,nostat',
+ type = 'virtual',
name = m['symbol_fail'],
parent = id,
score = 0.0,
group = N
})
+ rspamd_config:register_symbol({
+ type = 'virtual',
+ name = m['symbol_encrypted'],
+ parent = id,
+ score = 0.0,
+ group = N
+ })
+ rspamd_config:register_symbol({
+ type = 'virtual',
+ name = m['symbol_macro'],
+ parent = id,
+ score = 0.0,
+ group = N
+ })
has_valid = true
if type(m['patterns']) == 'table' then
if m['patterns'][1] then