[sanesecurity] Re: MSRBL signatures
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Sun, 28 Nov 2010 12:26:20 -0800
On 11/28/2010 11:32 AM, Steve Basford wrote:
Hi All,
Sanesecurity rsync mirrors are reporting constant pounding with sites
requesting MSRBL signature databases. Sanesecurity *does not distribute
these signature databases*.
Please could you all check your script configurations and ensure that
MSRBL signatures aren't downloaded from the Sanesecurity mirrors (ie.
rsync.sanesecurity.net) and
are in fact downloaded from *rsync://rsync.mirror.msrbl.com/msrbl/
*MSRBL signatures have been removed from most download scripts now, as
the MSRBL signatures haven't been updated in over a year (last update:
2009/07/24).
Thanks Steve!
And to stress that this advice should not be ignored or taken lightly,
some (possibly all) of the rsync mirror sites are blacklisting sites
that constantly request MSRBL signature updates. There are currently
368 sites that are being block by the rsync blacklist. Once these sites
remove the MSRBL requests from the download scripts and request
delisting here on the Sanesecurity users list, they will once again have
access to Sanesecurity signature updates. Until then, they will have no
access to any Sanesecurity signature updates.
Please also note that Sanesecurity DOES NOT distribute SecuriteInfo
signature databases, so DO NOT request those from the Sanesecurity rsync
mirrors either, lest you also risk being added to the blacklist. For
example, this will potentially get you added to the blacklist:
==========
rsync: link_stat "honeynet.hdb" (in sanesecurity) failed: No such file
or directory
rsync: link_stat "honeynet.hdb.sig" (in sanesecurity) failed: No such
file or directory
rsync: link_stat "securiteinfo.hdb" (in sanesecurity) failed: No such
file or directory
rsync: link_stat "securiteinfo.hdb.sig" (in sanesecurity) failed: No
such file or directory
rsync: link_stat "vx.hdb" (in sanesecurity) failed: No such file or
directory
rsync: link_stat "vx.hdb.sig" (in sanesecurity) failed: No such file or
directory
==========
These are NOT Sanesecurity distribute signature databases, download
these signature database from the SecuriteInfo download site.
I might also add that all script users should periodically check the
output of their download script for errors. We are also seeing requests
like the following:
==========
rsync: link_stat "#" (in sanesecurity)failed: No such file or directory
rsync: link_stat "#.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat ":" (in sanesecurity)failed: No such file or directory
rsync: link_stat ":.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "MEDIUM" (in sanesecurity)failed: No such file or directory
rsync: link_stat "MEDIUM.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "false-positive" (in sanesecurity)failed: No such file
or directory
rsync: link_stat "false-positive.sig" (in sanesecurity)failed: No such
file or directory
rsync: link_stat "rating" (in sanesecurity)failed: No such file or directory
rsync: link_stat "rating.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "ONE" (in sanesecurity)failed: No such file or directory
rsync: link_stat "ONE.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "CONTAINS" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "CONTAINS.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory
rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "COMPLETE" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "COMPLETE.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "URL" (in sanesecurity)failed: No such file or directory
rsync: link_stat "URL.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "PATH" (in sanesecurity)failed: No such file or directory
rsync: link_stat "PATH.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "(MEDIUM" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "(MEDIUM.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "RISK)," (in sanesecurity)failed: No such file or directory
rsync: link_stat "RISK),.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "AND" (in sanesecurity)failed: No such file or directory
rsync: link_stat "AND.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory
rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or
directory
rsync: link_stat "OTHER" (in sanesecurity)failed: No such file or directory
rsync: link_stat "OTHER.sig" (in sanesecurity)failed: No such file or
directory
==========
Caution, when using the clamav-unofficial-sigs download script, DO NOT
PLACE ANYTHING BETWEEN THE QUOTE "" MARKS IN THE CONFIG FILE 'ss_dbs'
DOWNLOAD SECTION EXCEPT VALID AND CORRECTLY SPELLED SANESECURITY
SIGNATURE DATABASE NAMES. For example, as shown in the default config
entry for Sanesecurity signature downloads:
ss_dbs="
junk.ndb
jurlbl.ndb
phish.ndb
rogue.hdb
sanesecurity.ftm
scam.ndb
spamimg.hdb
winnow_malware.hdb
winnow_malware_links.ndb
"
However, DO NOT do something like this:
ss_dbs="
junk.ndb
jurlbl.ndb
# phish.ndb
rogue.hdb
sanesecurity.ftm
# scam.ndb
spamimg.hdb
winnow_malware.hdb
winnow_malware_links.ndb
"
Instead, if, for example, you do not want to use the phish and scam
databases, remove them from between the quotes, as follows:
ss_dbs="
junk.ndb
jurlbl.ndb
rogue.hdb
sanesecurity.ftm
spamimg.hdb
winnow_malware.hdb
winnow_malware_links.ndb
"
As commenting them within the quoted section will only cause you
problems and annoy the Sanesecurity rsync mirror site operators and
possibly get your site added to the blacklist.
Ignore this advice at your own peril, and risk being blacklisted from
any and all Sanesecurity signature database updates.
Regards,
Bill
Other related posts:
