diff options
author | Carsten Rosenberg <c.rosenberg@heinlein-support.de> | 2019-10-08 21:00:31 +0200 |
---|---|---|
committer | Carsten Rosenberg <c.rosenberg@heinlein-support.de> | 2019-10-08 21:00:31 +0200 |
commit | e45b99bdb699922e4558b2ff28ea5f85a8968d93 (patch) | |
tree | 4c191bd928bd457f797123f0bd5852c52420583e | |
parent | f6f3788672ea1bc06a03e6d86e0827fee5429c0e (diff) | |
download | rspamd-e45b99bdb699922e4558b2ff28ea5f85a8968d93.tar.gz rspamd-e45b99bdb699922e4558b2ff28ea5f85a8968d93.zip |
[Minor] lua_scanners - adopt excrypted / macro support
-rw-r--r-- | lualib/lua_scanners/clamav.lua | 4 | ||||
-rw-r--r-- | lualib/lua_scanners/oletools.lua | 7 | ||||
-rw-r--r-- | src/plugins/lua/antivirus.lua | 1 | ||||
-rw-r--r-- | src/plugins/lua/external_services.lua | 26 |
4 files changed, 33 insertions, 5 deletions
diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua index f95f96d92..2862ce025 100644 --- a/lualib/lua_scanners/clamav.lua +++ b/lualib/lua_scanners/clamav.lua @@ -140,6 +140,10 @@ local function clamav_check(task, content, digest, rule) rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix) common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted') cached = 'encrypted' + elseif string.find(vname, '^Heuristics%.OLE2%.ContainsMacros') then + rspamd_logger.errx(task, '%s: ClamAV Found an OLE2 Office Macro', rule.log_prefix) + common.yield_result(task, rule, vname, 0.0, 'macro') + elseif vname then elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix) common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail') diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua index 4bdf7747d..8474a1847 100644 --- a/lualib/lua_scanners/oletools.lua +++ b/lualib/lua_scanners/oletools.lua @@ -184,6 +184,11 @@ local function oletools_check(task, content, digest, rule) end elseif result[3]['return_code'] == 9 then rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix) + common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'encrypted') + common.save_cache(task, digest, rule, 'encrypted') + elseif result[3]['return_code'] == 5 then + rspamd_logger.warnx(task, '%s: olefy could not open the file - error: %s', rule.log_prefix, + result[2]['message']) common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail') elseif result[3]['return_code'] > 6 then rspamd_logger.errx(task, '%s: Error Returned: %s', @@ -196,7 +201,7 @@ local function oletools_check(task, content, digest, rule) rule.log_prefix, result[2]['message']) oletools_requery(oletools_rc[result[3]['return_code']]) elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0 - and #result[2]['macros'] == 0 then + and #result[2]['macros'] == 0 then rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix) common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail') elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua index 8d84887d0..4c89526a5 100644 --- a/src/plugins/lua/antivirus.lua +++ b/src/plugins/lua/antivirus.lua @@ -87,7 +87,6 @@ local function add_antivirus_rule(sym, opts) if not opts.symbol_fail then opts.symbol_fail = opts.symbol .. '_FAIL' end - if not opts.symbol_encrypted then opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED' end diff --git a/src/plugins/lua/external_services.lua b/src/plugins/lua/external_services.lua index 4858979e1..4e0ee29c9 100644 --- a/src/plugins/lua/external_services.lua +++ b/src/plugins/lua/external_services.lua @@ -136,8 +136,14 @@ local function add_scanner_rule(sym, opts) rule.type = opts.type - if not rule.symbol_fail then - rule.symbol_fail = opts.symbol .. '_FAIL' + if not opts.symbol_fail then + opts.symbol_fail = opts.symbol .. '_FAIL' + end + if not opts.symbol_encrypted then + opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED' + end + if not opts.symbol_macro then + opts.symbol_macro = opts.symbol .. '_MACRO' end rule.redis_params = redis_params @@ -215,12 +221,26 @@ if opts and type(opts) == 'table' then local id = rspamd_config:register_symbol(t) rspamd_config:register_symbol({ - type = 'virtual,nostat', + type = 'virtual', name = m['symbol_fail'], parent = id, score = 0.0, group = N }) + rspamd_config:register_symbol({ + type = 'virtual', + name = m['symbol_encrypted'], + parent = id, + score = 0.0, + group = N + }) + rspamd_config:register_symbol({ + type = 'virtual', + name = m['symbol_macro'], + parent = id, + score = 0.0, + group = N + }) has_valid = true if type(m['patterns']) == 'table' then if m['patterns'][1] then |