diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-11-27 14:53:27 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-11-27 14:53:27 +0000 |
commit | 17d100afebda176346bb7f929507a9eab49b6678 (patch) | |
tree | cd2338a9e37e8265cabe5624094a319a2183f6ff | |
parent | dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892 (diff) | |
download | rspamd-17d100afebda176346bb7f929507a9eab49b6678.tar.gz rspamd-17d100afebda176346bb7f929507a9eab49b6678.zip |
[Rules] Add PDF related rules
-rw-r--r-- | conf/groups.conf | 6 | ||||
-rw-r--r-- | conf/scores.d/content_group.conf | 37 | ||||
-rw-r--r-- | rules/content.lua | 88 | ||||
-rw-r--r-- | rules/rspamd.lua | 1 |
4 files changed, 132 insertions, 0 deletions
diff --git a/conf/groups.conf b/conf/groups.conf index bf783cc2f..dcea1bcd0 100644 --- a/conf/groups.conf +++ b/conf/groups.conf @@ -116,5 +116,11 @@ group "external_services" { .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf" } +group "content" { + .include "$CONFDIR/scores.d/content_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf" +} + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf" diff --git a/conf/scores.d/content_group.conf b/conf/scores.d/content_group.conf new file mode 100644 index 000000000..b53ec31d0 --- /dev/null +++ b/conf/scores.d/content_group.conf @@ -0,0 +1,37 @@ +# Content matching rules +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +description = "Content rules"; + +symbols = { + "PDF_ENCRYPTED" { + weight = 0.3; + description = "There is an encrypted PDF in the message"; + one_shot = true; + } + "PDF_JAVASCRIPT" { + weight = 0.1; + description = "There is an PDF with JavaScript in the message"; + one_shot = true; + } + "PDF_SUSPICIOUS" { + weight = 4.5; + description = "There is an PDF with suspicious properties in the message"; + one_shot = true; + } +} + diff --git a/rules/content.lua b/rules/content.lua new file mode 100644 index 000000000..718fd22c1 --- /dev/null +++ b/rules/content.lua @@ -0,0 +1,88 @@ +--[[ +Copyright (c) 2019, Vsevolod Stakhov <vsevolod@highsecure.ru> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +]]-- + +local function process_pdf_specific(task, part, specific) + local suspicious_factor = 0 + if specific.encrypted then + task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename()) + suspicious_factor = suspicious_factor + 0.1 + if specific.openaction then + suspicious_factor = suspicious_factor + 0.5 + end + end + + if specific.javascript then + task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename()) + suspicious_factor = suspicious_factor + 0.1 + if specific.openaction then + suspicious_factor = suspicious_factor + 0.5 + end + end + + if specific.suspicious then + suspicious_factor = suspicious_factor + 0.7 + end + + if suspicious_factor > 0.5 then + if suspicious_factor > 1.0 then suspicious_factor = 1.0 end + task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename()) + end +end + +local tags_processors = { + pdf = process_pdf_specific +} + +local function process_specific_cb(task) + local parts = task:get_parts() or {} + + for _,p in ipairs(parts) do + if p:is_specific() then + local data = p:get_specific() + + if data and type(data) == 'table' and data.tag then + if tags_processors[data.tag] then + tags_processors[data.tag](task, p, data) + end + end + end + end +end + +local id = rspamd_config:register_symbol{ + type = 'callback', + name = 'SPECIFIC_CONTENT_CHECK', + callback = process_specific_cb +} + +rspamd_config:register_symbol{ + type = 'virtual', + name = 'PDF_ENCRYPTED', + parent = id, + groups = {"content", "pdf"}, +} +rspamd_config:register_symbol{ + type = 'virtual', + name = 'PDF_JAVASCRIPT', + parent = id, + groups = {"content", "pdf"}, +} +rspamd_config:register_symbol{ + type = 'virtual', + name = 'PDF_SUSPICIOUS', + parent = id, + groups = {"content", "pdf"}, +} diff --git a/rules/rspamd.lua b/rules/rspamd.lua index e82eee4fa..8ce90b0d0 100644 --- a/rules/rspamd.lua +++ b/rules/rspamd.lua @@ -37,6 +37,7 @@ dofile(local_rules .. '/http_headers.lua') dofile(local_rules .. '/forwarding.lua') dofile(local_rules .. '/mid.lua') dofile(local_rules .. '/bitcoin.lua') +dofile(local_rules .. '/content.lua') if rspamd_util.file_exists(local_conf .. '/rspamd.local.lua') then dofile(local_conf .. '/rspamd.local.lua') |