[sanesecurity] Re: New SecuriteInfo.com URLs

• From: Daniel McDonald <dan.mcdonald@xxxxxxxxxxxxxxxx>
• To: sanesecurity <sanesecurity@xxxxxxxxxxxxx>
• Date: Fri, 28 May 2010 09:09:11 -0500

On 5/28/10 7:43 AM, "Chris" <cpollock@xxxxxxxxxxxxxx> wrote:

> On Thu, 2010-05-27 at 16:02 +0100, Steve Basford wrote:
>> Hi All,
>> 
>> Arnaud Jacques of from SecuriteInfo has contacted me regarding an
>> important change to some of the signature databases.
>> 
> 
> Steve, after seeing this I modified Bill's script as below:
> 
> si_dbs="
>    honeynet.hdb
>    securiteinfoelf.hdb
>    securiteinfo.hdb
>    securiteinfohtml.hdb
>    securiteinfopdf.hdb
>    securiteinfosh.hdb
> "
> When time came to check the securite db's for updates I saw this in the
> output of the script:
> 
> Testing updated SecuriteInfo database file: securiteinfoelf.hdb
> Clamscan reports Sanesecurity securiteinfoelf.hdb database integrity
> tested BAD - SKIPPING

> Opening any of the securite .hdb files shows the below in a browser
> window:
> 
> The requested URL /securiteinfoelf.hdb.gz was not found on this server.
> 
> Did I make a mistake in the securite configuration?

Bill's script tacks on the .gz automatically, because all of the
SecuriteInfo db's were gzipped.
Just comment out line 734 or so in the clamav-unofficial-sigs.sh script,
where the .gz is appended:

if [ -n "$si_dbs" ] ; then
   for db in $si_dbs ; do
      echo "$si_dir/$db" >> "$current_tmp"
     # echo "$si_dir/$db.gz" >> "$current_tmp"
      clamav_files
   done
fi


On a somewhat related topic, does anyone have a sensible regex for these
sigs to distinguish viruses from spam sigs?  Or can we trust these all with
impunity?

$ sigtool -lsecuriteinfo.hdb | cut -d. -f1 | sort | uniq -c | sort -rn
 113480 VX
  10868 HTML
   3391 Trojan
   2860 Office
   2182 IMG
   1389 BAT
   1052 Generic
    651 DOS
    427 PHP
    412 Backdoor
    339 SH
    316 Exploit
    265 VBS
    246 Win32
    201 Worm
    136 CmdFlood
    118 Gen-SecuriteInfo
     85 PDF
     33 Linux
     21 UNIX
     17 JS
     15 IRC-Worm
     12 FormatC
     12 Application
     11 Shimmer
     10 Delete
     10 Adware
      9 Win
      9 Unix
      9 IRC
      9 FileInfector-SecuriteInfo
      6 KillAV
      6 Irc
      6 EICAR-Test-File-SecuriteInfo
      5 Virtool
      5 DelTree
      5 Agent
      4 SymbOS
      3 Vbs
      3 RServer
      3 Mumu
      3 Batman-SecuriteInfo
      2 WinReg
      2 WBS
      2 SiteHijack-SecuriteInfo
      2 Rhape
      2 OSX
      2 Necros
      2 Kaczor
      2 HLLO
      2 Eversaw
      2 Delsyslib-SecuriteInfo
      2 DeleteWin
      2 BWG
      2 AVKill
      1 W97M
      1 VirTool
      1 Speed
      1 Silly
      1 Rootkit
      1 Restart-SecuriteInfo
      1 Replace
      1 Polyhell
      1 Pole64-SecuriteInfo
      1 Pole64
      1 PERL
      1 P2P
      1 Nice-SecuriteInfo
      1 mIRC
      1 Lucky2k
      1 Joy
      1 IRC-Worm-SecuriteInfo
      1 Homeslice-SecuriteInfo
      1 HLLC
      1 Format
      1 Emma
      1 Dmenu
      1 Disabler
      1 DeltreeY
      1 Bun
      1 BatWin
      1 Batalia
      1 Ballicus-SecuriteInfo
      1 AnitV
      1 ALS
      1 185-SecuriteInfo

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

• References:
  • [sanesecurity] Re: New SecuriteInfo.com URLs
    • From: Chris

Other related posts:

• » [sanesecurity] New SecuriteInfo.com URLs- Steve Basford
• » [sanesecurity] Re: New SecuriteInfo.com URLs- George R . Kasica
• » [sanesecurity] Re: New SecuriteInfo.com URLs- Rosenbaum, Larry M.
• » [sanesecurity] Re: New SecuriteInfo.com URLs- Bill Landry
• » [sanesecurity] Re: New SecuriteInfo.com URLs- George R . Kasica
• » [sanesecurity] Re: New SecuriteInfo.com URLs- Chris
• » [sanesecurity] Re: New SecuriteInfo.com URLs - Daniel McDonald
• » [sanesecurity] Re: New SecuriteInfo.com URLs- Bill Landry
• » [sanesecurity] Re: New SecuriteInfo.com URLs- Jonas

1. Home
2. sanesecurity
3. Archive
4. 05-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---