[sanesecurity] Re: local.ign exceptions
- From: Bill Landry <bill@xxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Wed, 24 Feb 2010 13:00:24 -0800
Bill Landry wrote:
> Roberto Ullfig wrote:
>> Bill Landry wrote:
>>> Roberto Ullfig wrote:
>>>
>>>> Bill Landry wrote:
>>>>
>>>>> Roberto Ullfig wrote:
>>>>>
>>>>>
>>>>>> Can I use a local.ign file to allow a signature caught by
>>>>>> sanesecurity?
>>>>>> I've found the db entry here:
>>>>>>
>>>>>> 69599:INetMsg.SpamDomain-2m.private_pl:4:*:(2e|2f|40|20|3c|5f)707269766174652e706c(27|22|20|2f|3d|5f|3e|0a|0d)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can I just put in the local.ign file:
>>>>>>
>>>>>> sanesecurity-INetMsg-SpamDomains-2m.ndb:69599:INetMsg.SpamDomain-2m.private_pl
>>>>>>
>>>>>>
>>>>>>
>>>>> Yes.
>>>>>
>>>>>
>>>>>
>>>>>> Will this eventually stop working? Does the line number of the
>>>>>> signature
>>>>>> ever change?
>>>>>>
>>>>> Yes, the line numbers do change, however, if you are using the
>>>>> clamav-unofficial-sigs script, it will automatically update the
>>>>> local.ign file with the new line info, and also remove it from the file
>>>>> when the signature has either changed or been removed from the
>>>>> database.
>>>>>
>>>>> Anyway, I just removed this domain from the signature database about 15
>>>>> minutes ago. It will be gone with the next update that goes out in
>>>>> about 30 minutes.
>>>>>
>>>>> Bill
>>>>>
>>>>>
>>>>>
>>>> Thanks! What is private_pl? How did you know which domain to remove? Did
>>>> they contact you?
>>>>
>>> The domain was listed in the signature file you were asking about adding
>>> to local.ign (INetMsg.SpamDomain-2m.private_pl). It's a Polish domain,
>>> but I have no idea what its purpose is as this site is in Polish, which
>>> I don't understand.
>>>
>>> I removed the domain earlier yesterday as I was contacted by someone
>>> from uiuc.edu regarding the listing. However, as I told that person,
>>> the more serious issue is that the domain is also listed in URIBL Black:
>>>
>>> host private.pl.multi.uribl.com
>>> private.pl.multi.uribl.com has address 127.0.0.2
>>>
>>> That listing has much broader coverage than my signature database would
>>> have.
>>>
>>> Bill
>>>
>>>
>>>
>> Shouldn't such a check only look for strings like http://.*private.pl/
>> instead of getting tagged because of a filename within the URL called
>> private.pl?
>>
>> pl is a pretty common suffix for files (perl).
>
> Domains listed in my signature databases are already prefixed and
> suffixed as follows:
>
> (2e|2f|40|20|3c|5f)7a7a78636b77772e636e(27|22|20|2f|3d|5f|3e|0a|0d)
>
> which decodes to:
>
> (.|/|@| |<|_)domain.ext('|"| |/|=|_|>)
>
> and what you don't see decoded and the end of the string above is a
> newline and carriage-return.
>
> So if a file was tagged by the signature, it must have been named
> something like: <private.pl> or something that included the prefix and
> suffix delimiters shown above, otherwise it would have not been flagged.
>
> Hope this helps to clarify...
Hmmm, actually, in this case, just the file name would have gotten
flagged because of the leading and trailing space delimiters. I guess I
will have to look into how to better prevent this from happening in the
future...
Bill
Other related posts:
