[Esd-l] Attachment of application.pif was not stripped

John D. Hardin jhardin at impsec.org
Sun Aug 24 09:20:50 PDT 2003


On Sat, 23 Aug 2003, Mike McCandless wrote:

> I checked the Web site, and read through the local rules.  I must
> admit I need some help with where these get put in my procmailrc
> file, or how they are referenced.

1) Create a file named /etc/procmail/local-rules.procmail - this
should be in the same directory as the sanitizer script if you're
using the recommended locations.

2) In this file put whatever local security rules you want - you can
use the local-rules file from the website as a starting point.

3) In your /etc/procmailrc file, just before the
INCLUDERC=/etc/procmail/html-trap.procmail that runs the sanitizer
itself, insert a new line with
INCLUDERC=/etc/procmail/local-rules.procmail
This passes the message through the local-rules filters before givine
the full sanitizer a shot at it.

The local rules are intended to:

1) Do specific identification of attacks. The sanitizer itself just
handles classes of attachments and doesn't attempt to identify
anything. If you want to identify a particular attack, you can put
some detection patterns for it into the local-rules filters.

2) Detect some attacks that the sanitizer, by design, cannot detect.
For example, the sanitizer (and other security filters) by default
considers .ZIP files safe. One of the SoBig variants used this to
bypass the filter to get to the user. The original SoBig rule detects
the specific .ZIP filenames used and poisons them. There will also be
a rule for the non-MIME MTA bounce messages, because the sanitizer's
attachment processing part does not scan messages that do not have
MIME rfc822 headers.

The local rules filters scan the message using straight procmail
techniques, so if you want to start writing your own local rules you
have to learn how to write procmail rules. The action on a "hit" is to
insert Sanitizer handling headers into the message headers, just as if
the sanitizer had scanned the message and detected some problem. These
handling headers are processed by the procmail code that appears after
the big perl script in the html-trap.procmail file.

> Also, your reply below talks about quarantining.  What if I want
> to treat these emails as qualifying for stripping, not
> quarantining?

Unfortunately the local rules don't look at the message on an
attachment-by-attachment basis as the sanitizer does, so you can only
set the treatment of the message as a whole. Quarantine or discard are
your only options. Sorry.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   69 days until Matrix Revolutions



More information about the esd-l mailing list