Merge pull request #2736 from HeinleinSupport/lua_scanners

Lua scanners
author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2019-01-28 12:31:01 +0000
committer: GitHub <noreply@github.com> 2019-01-28 12:31:01 +0000
commit: 920f33853e5f22e02bb8baa411bd835f6246cde6 (patch)
tree: 97b96bb6ad265b0b58317eabe8ea860695f05300
parent: 5d26b7112b85bb00d1adc2245ff1369304e8e7c3 (diff)
parent: 59b5ff6ccc8182a23beaf5774263f175e8cf7cef (diff)
download: rspamd-920f33853e5f22e02bb8baa411bd835f6246cde6.tar.gz
rspamd-920f33853e5f22e02bb8baa411bd835f6246cde6.zip
3 files changed, 59 insertions, 19 deletions
diff --git a/lualib/lua_scanners/common.lua b/lualib/lua_scanners/common.lua
index 0eeb44bc3..2a748eaa5 100644
--- a/lualib/lua_scanners/common.lua
+++ b/lualib/lua_scanners/common.lua
@@ -270,9 +270,10 @@ end
 local function check_parts_match(task, rule)
 
   local filter_func = function(p)
-    local content_type,content_subtype = p:get_type()
+    local mtype,msubtype = p:get_type()
+    local dmtype,dmsubtype = p:get_detected_type()
     local fname = p:get_filename()
-    local ext, ext2, part_table
+    local ext, ext2
     local extension_check = false
     local content_type_check = false
     local text_part_min_words_check = true
@@ -280,9 +281,7 @@ local function check_parts_match(task, rule)
     if rule.scan_all_mime_parts == false then
     -- check file extension and filename regex matching
       if fname ~= nil then
-        ext,ext2,part_table = gen_extension(fname)
-        lua_util.debugm(rule.name, task, '%s: extension found: %s - 2.ext: %s - parts: %s',
-          rule.log_prefix, ext, ext2, part_table)
+        ext,ext2 = gen_extension(fname)
         if match_filter(task, ext, rule.mime_parts_filter_ext)
           or match_filter(task, ext2, rule.mime_parts_filter_ext) then
           lua_util.debugm(rule.name, task, '%s: extension matched: %s', rule.log_prefix, ext)
@@ -292,14 +291,38 @@ local function check_parts_match(task, rule)
           content_type_check = true
         end
       end
-      -- check content type regex matching
-      if content_type ~= nil and content_subtype ~= nil then
-        if match_filter(task, content_type..'/'..content_subtype, rule.mime_parts_filter_regex) then
-          lua_util.debugm(rule.name, task, '%s: regex ct: %s', rule.log_prefix,
-            content_type..'/'..content_subtype)
+      -- check content type string regex matching
+      if mtype ~= nil and msubtype ~= nil then
+        local ct = string.format('%s/%s', mtype, msubtype):lower()
+        if match_filter(task, ct, rule.mime_parts_filter_regex) then
+          lua_util.debugm(rule.name, task, '%s: regex content-type: %s', rule.log_prefix, ct)
           content_type_check = true
         end
       end
+      -- check detected content type (libmagic) regex matching
+      if dmtype ~= nil and dmsubtype ~= nil then
+        local ct = string.format('%s/%s', mtype, msubtype):lower()
+        if match_filter(task, ct, rule.mime_parts_filter_regex) then
+          lua_util.debugm(rule.name, task, '%s: regex detected libmagic content-type: %s', rule.log_prefix, ct)
+          content_type_check = true
+        end
+      end
+      -- check filenames in archives
+      if p:is_archive() then
+        local arch = p:get_archive()
+        local filelist = arch:get_files_full()
+        for _,f in ipairs(filelist) do
+          ext,ext2 = gen_extension(f.name)
+          if match_filter(task, ext, rule.mime_parts_filter_ext)
+            or match_filter(task, ext2, rule.mime_parts_filter_ext) then
+            lua_util.debugm(rule.name, task, '%s: extension matched in archive: %s', rule.log_prefix, ext)
+            extension_check = true
+          end
+          if match_filter(task, f.name, rule.mime_parts_filter_regex) then
+            content_type_check = true
+          end
+        end
+      end
     end
 
     -- check text_part has more words than text_part_min_words_check
diff --git a/lualib/lua_scanners/icap.lua b/lualib/lua_scanners/icap.lua
index 300243337..6ddd5fee6 100644
--- a/lualib/lua_scanners/icap.lua
+++ b/lualib/lua_scanners/icap.lua
@@ -44,8 +44,6 @@ local function icap_check(task, content, digest, rule)
       "Encapsulated: null-body=0\r\n\r\n",
     }
     local size = string.format("%x", tonumber(#content))
-    lua_util.debugm(rule.name, task, '%s: size: %s',
-        rule.log_prefix, size)
 
     local function get_respond_query()
       table.insert(respond_headers, 1,
@@ -69,9 +67,11 @@ local function icap_check(task, content, digest, rule)
         if string.find(s, '^ICAP') then
           icap_headers['icap'] = s
         end
-        if string.find(s, '[%a%d-+]-: ') then
-          local _,_,key,value = tostring(s):find("([%a%d-+]-):%s(.+)")
-          icap_headers[key] = value
+        if string.find(s, '[%a%d-+]-:') then
+          local _,_,key,value = tostring(s):find("([%a%d-+]-):%s?(.+)")
+          if key ~= nil then
+            icap_headers[key] = value
+          end
         end
       end
       lua_util.debugm(rule.name, task, '%s: icap_headers: %s',
@@ -94,6 +94,14 @@ local function icap_check(task, content, digest, rule)
         X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation;
       Sophos Strings:
         X-Virus-ID: Troj/DocDl-OYC
+      Kaspersky Strings:
+        X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
+        X-Response-Info: blocked
+
+        X-Virus-ID: no threats
+        X-Response-Info: blocked
+
+        X-Response-Info: passed
       ]] --
 
       if icap_headers['X-Infection-Found'] ~= nil then
@@ -111,10 +119,19 @@ local function icap_check(task, content, digest, rule)
           table.insert(threat_string, icap_threat)
         end
 
-      elseif icap_headers['X-Virus-ID'] ~= nil then
+      elseif icap_headers['X-Virus-ID'] ~= nil and icap_headers['X-Virus-ID'] ~= "no threats" then
         lua_util.debugm(rule.name, task,
             '%s: icap X-Virus-ID: %s', rule.log_prefix, icap_headers['X-Virus-ID'])
-        table.insert(threat_string, icap_headers['X-Virus-ID'])
+
+        if string.find(icap_headers['X-Virus-ID'], ', ') then
+          local vnames = rspamd_str_split(string.gsub(icap_headers['X-Virus-ID'], "%s", ""), ',') or {}
+
+          for _,v in ipairs(vnames) do
+            table.insert(threat_string, v)
+          end
+        else
+          table.insert(threat_string, icap_headers['X-Virus-ID'])
+        end
       end
 
       if #threat_string > 0 then
diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index f0fdd82b4..577b79863 100644
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -167,8 +167,8 @@ local function oletools_check(task, content, digest, rule)
               m_autoexec = 'A'
               table.insert(analysis_keyword_table, a.keyword)
             elseif a.type == 'Suspicious' then
-              if rule.extended == true then m_suspicious = 'S' end
-              if a.keyword ~= 'Base64 Strings' and a.keyword ~= 'Hex Strings'
+              if rule.extended == true or
+                (a.keyword ~= 'Base64 Strings' and a.keyword ~= 'Hex Strings')
               then
                 m_suspicious = 'S'
                 table.insert(analysis_keyword_table, a.keyword)
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2019-01-28 12:31:01 +0000
committer	GitHub <noreply@github.com>	2019-01-28 12:31:01 +0000
commit	920f33853e5f22e02bb8baa411bd835f6246cde6 (patch)
tree	97b96bb6ad265b0b58317eabe8ea860695f05300
parent	5d26b7112b85bb00d1adc2245ff1369304e8e7c3 (diff)
parent	59b5ff6ccc8182a23beaf5774263f175e8cf7cef (diff)
download	rspamd-920f33853e5f22e02bb8baa411bd835f6246cde6.tar.gz rspamd-920f33853e5f22e02bb8baa411bd835f6246cde6.zip