diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2021-01-04 16:00:11 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-04 16:00:11 +0000 |
| commit | 2b10e6967d1dcf6e6584a333f10b2dec5802b74e (patch) | |
| tree | 86750a900c6db4f2514c9cb9af8ebee8d547b85f | |
| parent | fe2a739af4ad2bce76600e7386fc0ad12c3da354 (diff) | |
| parent | 7679fd1222d6e7b6bbead83aa0ea7c2a5effdc21 (diff) | |
| download | rspamd-2b10e6967d1dcf6e6584a333f10b2dec5802b74e.tar.gz rspamd-2b10e6967d1dcf6e6584a333f10b2dec5802b74e.zip | |
Merge pull request #3595 from fatalbanana/exe_heuristic
[Minor] Magic: try avoid false positive exe detection
| -rw-r--r-- | lualib/lua_magic/heuristics.lua | 18 | ||||
| -rw-r--r-- | lualib/lua_magic/patterns.lua | 3 |
2 files changed, 20 insertions, 1 deletions
diff --git a/lualib/lua_magic/heuristics.lua b/lualib/lua_magic/heuristics.lua index d9a7702a4..fb0a4b7c2 100644 --- a/lualib/lua_magic/heuristics.lua +++ b/lualib/lua_magic/heuristics.lua @@ -471,4 +471,22 @@ exports.pdf_format_heuristic = function(input, log_obj, pos, part) return 'pdf',weight end +exports.pe_part_heuristic = function(input, log_obj, pos, part) + if not input then + return + end + + local pe_ptr_bin = input:sub(60, 64) + if #pe_ptr_bin ~= 4 then + return + end + + local pe_ptr = rspamd_util.unpack("<H", pe_ptr_bin) + if pe_ptr ~= pos then + return + end + + return 'exe',15 +end + return exports diff --git a/lualib/lua_magic/patterns.lua b/lualib/lua_magic/patterns.lua index 5e62b47f9..8bdc7ea44 100644 --- a/lualib/lua_magic/patterns.lua +++ b/lualib/lua_magic/patterns.lua @@ -105,6 +105,7 @@ local patterns = { string = [[PE\x{00}\x{00}]], position = {'>=', 0x3c + 4}, weight = 15, + heuristic = heuristics.pe_part_heuristic, } } }, @@ -458,4 +459,4 @@ local patterns = { }, } -return patterns
\ No newline at end of file +return patterns |