On 5/28/10 7:43 AM, "Chris" <cpollock@xxxxxxxxxxxxxx> wrote: > On Thu, 2010-05-27 at 16:02 +0100, Steve Basford wrote: >> Hi All, >> >> Arnaud Jacques of from SecuriteInfo has contacted me regarding an >> important change to some of the signature databases. >> > > Steve, after seeing this I modified Bill's script as below: > > si_dbs=" > honeynet.hdb > securiteinfoelf.hdb > securiteinfo.hdb > securiteinfohtml.hdb > securiteinfopdf.hdb > securiteinfosh.hdb > " > When time came to check the securite db's for updates I saw this in the > output of the script: > > Testing updated SecuriteInfo database file: securiteinfoelf.hdb > Clamscan reports Sanesecurity securiteinfoelf.hdb database integrity > tested BAD - SKIPPING > Opening any of the securite .hdb files shows the below in a browser > window: > > The requested URL /securiteinfoelf.hdb.gz was not found on this server. > > Did I make a mistake in the securite configuration? Bill's script tacks on the .gz automatically, because all of the SecuriteInfo db's were gzipped. Just comment out line 734 or so in the clamav-unofficial-sigs.sh script, where the .gz is appended: if [ -n "$si_dbs" ] ; then for db in $si_dbs ; do echo "$si_dir/$db" >> "$current_tmp" # echo "$si_dir/$db.gz" >> "$current_tmp" clamav_files done fi On a somewhat related topic, does anyone have a sensible regex for these sigs to distinguish viruses from spam sigs? Or can we trust these all with impunity? $ sigtool -lsecuriteinfo.hdb | cut -d. -f1 | sort | uniq -c | sort -rn 113480 VX 10868 HTML 3391 Trojan 2860 Office 2182 IMG 1389 BAT 1052 Generic 651 DOS 427 PHP 412 Backdoor 339 SH 316 Exploit 265 VBS 246 Win32 201 Worm 136 CmdFlood 118 Gen-SecuriteInfo 85 PDF 33 Linux 21 UNIX 17 JS 15 IRC-Worm 12 FormatC 12 Application 11 Shimmer 10 Delete 10 Adware 9 Win 9 Unix 9 IRC 9 FileInfector-SecuriteInfo 6 KillAV 6 Irc 6 EICAR-Test-File-SecuriteInfo 5 Virtool 5 DelTree 5 Agent 4 SymbOS 3 Vbs 3 RServer 3 Mumu 3 Batman-SecuriteInfo 2 WinReg 2 WBS 2 SiteHijack-SecuriteInfo 2 Rhape 2 OSX 2 Necros 2 Kaczor 2 HLLO 2 Eversaw 2 Delsyslib-SecuriteInfo 2 DeleteWin 2 BWG 2 AVKill 1 W97M 1 VirTool 1 Speed 1 Silly 1 Rootkit 1 Restart-SecuriteInfo 1 Replace 1 Polyhell 1 Pole64-SecuriteInfo 1 Pole64 1 PERL 1 P2P 1 Nice-SecuriteInfo 1 mIRC 1 Lucky2k 1 Joy 1 IRC-Worm-SecuriteInfo 1 Homeslice-SecuriteInfo 1 HLLC 1 Format 1 Emma 1 Dmenu 1 Disabler 1 DeltreeY 1 Bun 1 BatWin 1 Batalia 1 Ballicus-SecuriteInfo 1 AnitV 1 ALS 1 185-SecuriteInfo -- Daniel J McDonald, CCIE # 2495, CISSP # 78281