[Esd-l] Does a hit in local-rules get logged in poisoned?
Smart,Dan
SmartD at VMCMAIL.com
Mon Aug 25 14:09:48 PDT 2003
John:
I'm logging a message when rules in the local-rules gets a hit. I build a
report by greping the number of times the phrase "Trapped poisoned" exists
in the Procmail log. If a message gets a hit in the local-rules, will it
skip the "Trapped poisoned executable" test, or am I double counting?
<<Dan>>
Attached is reporting script and my local-rules
====================================================
root: cat /usr/sbin/mailstats
echo " "
echo " "
echo "Lewis Spam and Sanitizer Summary for $(date --date=yesterday '+%b
%d')"
echo " "
echo "Count Non-spam (ham) Messages"
egrep -c "clean message" /var/log/maillog
echo Count Spam Messages
egrep -c "identified spam" /var/log/maillog
echo -------------------
echo Count Klez Trapped
egrep -ic "Trapped: Probable Klez" /var/log/procmail
echo Count BugBear Trapped
egrep -ic "Trapped: Probable BugBear" /var/log/procmail
echo Count SoBig Trapped
egrep -ic "Trapped: Probable SoBig" /var/log/procmail
echo Count MiMail Trapped
egrep -ic "Trapped: Probable MiMail" /var/log/procmail
echo Count Stripped Files
egrep -ic "Stripped " /var/log/procmail
echo Count Poisoned Files
egrep -ic "Trapped poisoned" /var/log/procmail
echo Count Excessively Long Headers
egrep -ic "Trapped excessively" /var/log/procmail
echo -------------------
echo Sanitizer Warnings
egrep "^WARN: " /var/log/procmail
echo Trapped Excessive Headers
egrep "Trapped excessively" /var/log/procmail
echo -------------------
===============================================
root: cat local-rules.procmail
## Catch Cytron E-Card worm (10/29/2002)
:0
* > 110000
{
:0 B
* You Have Received an E-Card
{
LOG="TRAPPED: Cytron E-Card worm"
:0 hfi
| formail -A "X-Content-Security: [${HOST}] NOTIFY" \
-A "X-Content-Security: [${HOST}] QUARANTINE" \
-A "X-Content-Security: [${HOST}] REPORT: Trapped Cytron
E-Card worm"
}
}
# Detect Hybris when sent as an anonymous message.
#
:0
* > 20000
* !^Subject:
* !^To:
* ^Content-Type:.*multipart/mixed;
{
:0 B
* 1^1 ^Content-Disposition:.*\.EXE
* 1^1 ^Content-Type:.*\.EXE
{
LOG="TRAPPED: Anonymous Executable (Hybris)"
:0 hfi
| formail -A "X-Content-Security: [${HOST}] NOTIFY" \
-A "X-Content-Security: [${HOST}] QUARANTINE" \
-A "X-Content-Security: [${HOST}] REPORT: Trapped (Hybris)
anonymous executable"
}
}
# Trap SirCam (signature as of 08/01/2001)
#
:0
* > 130000
* ^Content-Type:.*multipart/mixed;
{
:0 B
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
*
AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
{
LOG="TRAPPED: SirCam worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SirCam
worm"
}
}
# Trap BadTrans (signature as of 11/26/2001)
#
:0
* > 40000
* < 50000
* ^Subject: Re:
* ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
{
:0 B
* ^Content-Type: audio/x-wav;
* ^Content-ID: <EA4DMGBP9p>
* ^Content-Transfer-Encoding: base64
{
LOG="TRAPPED: BadTrans worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans
worm"
}
}
# Trap Klez (signature as of 04/26/2002)
# Trap BugBear (signature as of 10/06/2002)
#
:0
* > 50000
* ^Content-Type:.*multipart/alternative;
{
:0 B
* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
* ^Content-Type:.*audio/
* ^Content-ID:.*<
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
{
:0
* > 100000
{
LOG="TRAPPED: Probable Klez worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
probable Klez worm"
}
:0 E
* > 50000
{
LOG="TRAPPED: Probable BugBear worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped
probable BugBear worm"
}
}
:0 B E
* H ?? ^Subject: A( (special|very))?[ ][ ][a-z]
* ^Content-Type:.*application/octet-stream
* ^Content-ID:
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
{
LOG="TRAPPED: Probable Klez worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped probable
Klez worm"
}
}
# Attempt to trap sendmail header exploit (signature as of 03/05/3003)
#
# CRITICAL NOTE: this WILL NOT protect the system it is installed on.
# It is intended to prevent a patched Sendmail from relaying an attack
# message onwards.
#
:0
*
^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notificatio
n|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
{
LOG="TRAPPED: Probable Sendmail header exploit "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped possible
sendmail header exploit"
}
# Trap SoBig.F (signature as of 08/25/2003)
#
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
:0 B
* ^(Please )?see the attached (zip )?file for details\.?
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(your_details|application|document|screensaver|movie)[0-9]*\.(zip|pif|scr
)"?
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(your_details|application|document|screensaver|movie)[0-9]*\.(zip|pif|scr
)"?
{
LOG="TRAPPED: Probable SoBig worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig
worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
<http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
> "
}
}
# Trap backscatter from SoBig.F
#
:0 hfi
* ^Subject: Undeliverable: *(Re: *)*(Approved|Details|(My|Your) details|That
movie|Thank you\!|Wicked screensaver|Your application)
* ^FROM_MAILER
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig.F
backscatter"
# Trap MiMail (08/01/2003)
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* ^From:.*admin@
* ^Subject:.*your account
{
:0 B
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?message\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?message\.zip"?
{
LOG="TRAPPED: Probable MiMail worm "
:0 hfi
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped MiMail
worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
<http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.htm
l> "
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ga.impsec.org/pipermail/esd-l/attachments/20030825/43165072/attachment.html
More information about the esd-l
mailing list