[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack
John D. Hardin
jhardin at impsec.org
Wed Jan 28 20:55:48 PST 2004
On Thu, 29 Jan 2004, Torkil Zachariassen wrote:
> I did not update procmailrc, but instead added a
>
> *.zip
>
> to /etc/procmail/poisoned-files. Sorry.
That won't work unless you also add "zip" to your mangled extensions
list.
> Yes - this is paranoia, but maintaining the
>
> *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
> "?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
>
> lines, looks like a dead cat to me. YMMW.
True. I'm beginning to agree.
I *think* the other parts of the signature are strong enough that it
can be changed to [A-Za-z0-9]+\.zip - unless you are using this in the
part of the world where charset "Windows-1252" is common, in which
case you'll be getting false positives.
PLEASE see the suggested local rules, it contains revisions that
increase reliability. I have also changed it to trigger on all .ZIPs
I am not going to add base64 strings to the signature as novarg-b has
already appeared.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
66 days until the Slovakian Presidential Election
More information about the esd-l
mailing list