[sanesecurity] Re: jurlbla.ndb
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Fri, 12 Jun 2009 06:42:25 -0700
Hi Paul,
Paul Whelan wrote:
> On 8 Jun 2009 at 16:18, clamav@xxxxxxxx wrote:
>
>> Hello,
>>
>> I'm trying to figure out what Sanesecurity.Jurlbl.Auto.6398.UNOFFICIAL
>> FOUND is.
>>
>> On my decoding I found:
>>
>> Sanesìurity.Jurlbl.Auto.c:4:*:erincommunications.com
>
> Doesn't this illustrate the added difficulty of debugging these 'auto'
> databases? Several days on the sig number (6398) will have changed maybe
> several times. It was recently 6392. If it had been an FP it won't be in
> at all.
Yes it does, however, it also provides a way to quickly respond to an
ever changing wave of spam domains.
> It's rare that I get to trace a query before a sig update has happened,
> and if it later scans with a different match, I have to assume it was the
> same sig. I don't currently archive old sigs, but I'm wondering if some
> time-limited storage may be useful.
One way to deal with this is to use the clamav-unofficial-sigs script to
create bypass signatures. The script will monitor these bypass
signatures and update the entry anytime the signature name changes.
Once the signature has been modified or removed, the script will
automatically remove the entry from the local.ign file.
This will allow you to both bypass the FP signature, and also have time
to figure out what domain name the database is triggering on. The
script can also encode the domain names found in an FP email, and then
you can parse the signature database to see if the signature still
exists or not, and if so, report it under its current name.
Hope this helps...
Bill
Other related posts:
