On 11/28/2010 11:32 AM, Steve Basford wrote:
Hi All, Sanesecurity rsync mirrors are reporting constant pounding with sites requesting MSRBL signature databases. Sanesecurity *does not distribute these signature databases*. Please could you all check your script configurations and ensure that MSRBL signatures aren't downloaded from the Sanesecurity mirrors (ie. rsync.sanesecurity.net) and are in fact downloaded from *rsync://rsync.mirror.msrbl.com/msrbl/ *MSRBL signatures have been removed from most download scripts now, as the MSRBL signatures haven't been updated in over a year (last update: 2009/07/24).
Thanks Steve!And to stress that this advice should not be ignored or taken lightly, some (possibly all) of the rsync mirror sites are blacklisting sites that constantly request MSRBL signature updates. There are currently 368 sites that are being block by the rsync blacklist. Once these sites remove the MSRBL requests from the download scripts and request delisting here on the Sanesecurity users list, they will once again have access to Sanesecurity signature updates. Until then, they will have no access to any Sanesecurity signature updates.
Please also note that Sanesecurity DOES NOT distribute SecuriteInfo signature databases, so DO NOT request those from the Sanesecurity rsync mirrors either, lest you also risk being added to the blacklist. For example, this will potentially get you added to the blacklist:
==========rsync: link_stat "honeynet.hdb" (in sanesecurity) failed: No such file or directory rsync: link_stat "honeynet.hdb.sig" (in sanesecurity) failed: No such file or directory rsync: link_stat "securiteinfo.hdb" (in sanesecurity) failed: No such file or directory rsync: link_stat "securiteinfo.hdb.sig" (in sanesecurity) failed: No such file or directory rsync: link_stat "vx.hdb" (in sanesecurity) failed: No such file or directory rsync: link_stat "vx.hdb.sig" (in sanesecurity) failed: No such file or directory
==========These are NOT Sanesecurity distribute signature databases, download these signature database from the SecuriteInfo download site.
I might also add that all script users should periodically check the output of their download script for errors. We are also seeing requests like the following:
========== rsync: link_stat "#" (in sanesecurity)failed: No such file or directory rsync: link_stat "#.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat ":" (in sanesecurity)failed: No such file or directory rsync: link_stat ":.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat "MEDIUM" (in sanesecurity)failed: No such file or directoryrsync: link_stat "MEDIUM.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat "false-positive" (in sanesecurity)failed: No such file or directory rsync: link_stat "false-positive.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "rating" (in sanesecurity)failed: No such file or directoryrsync: link_stat "rating.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "ONE" (in sanesecurity)failed: No such file or directoryrsync: link_stat "ONE.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat "CONTAINS" (in sanesecurity)failed: No such file or directory rsync: link_stat "CONTAINS.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "THE" (in sanesecurity)failed: No such file or directoryrsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat "COMPLETE" (in sanesecurity)failed: No such file or directory rsync: link_stat "COMPLETE.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "URL" (in sanesecurity)failed: No such file or directoryrsync: link_stat "URL.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "PATH" (in sanesecurity)failed: No such file or directoryrsync: link_stat "PATH.sig" (in sanesecurity)failed: No such file or directory rsync: link_stat "(MEDIUM" (in sanesecurity)failed: No such file or directory rsync: link_stat "(MEDIUM.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "RISK)," (in sanesecurity)failed: No such file or directoryrsync: link_stat "RISK),.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "AND" (in sanesecurity)failed: No such file or directoryrsync: link_stat "AND.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "THE" (in sanesecurity)failed: No such file or directoryrsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or directory
rsync: link_stat "OTHER" (in sanesecurity)failed: No such file or directoryrsync: link_stat "OTHER.sig" (in sanesecurity)failed: No such file or directory
==========Caution, when using the clamav-unofficial-sigs download script, DO NOT PLACE ANYTHING BETWEEN THE QUOTE "" MARKS IN THE CONFIG FILE 'ss_dbs' DOWNLOAD SECTION EXCEPT VALID AND CORRECTLY SPELLED SANESECURITY SIGNATURE DATABASE NAMES. For example, as shown in the default config entry for Sanesecurity signature downloads:
ss_dbs=" junk.ndb jurlbl.ndb phish.ndb rogue.hdb sanesecurity.ftm scam.ndb spamimg.hdb winnow_malware.hdb winnow_malware_links.ndb " However, DO NOT do something like this: ss_dbs=" junk.ndb jurlbl.ndb # phish.ndb rogue.hdb sanesecurity.ftm # scam.ndb spamimg.hdb winnow_malware.hdb winnow_malware_links.ndb "Instead, if, for example, you do not want to use the phish and scam databases, remove them from between the quotes, as follows:
ss_dbs=" junk.ndb jurlbl.ndb rogue.hdb sanesecurity.ftm spamimg.hdb winnow_malware.hdb winnow_malware_links.ndb "As commenting them within the quoted section will only cause you problems and annoy the Sanesecurity rsync mirror site operators and possibly get your site added to the blacklist.
Ignore this advice at your own peril, and risk being blacklisted from any and all Sanesecurity signature database updates.
Regards, Bill