commit 0d5d24b: [Project] Lua_magic: Moar patterns
Vsevolod Stakhov
vsevolod at highsecure.ru
Fri Sep 6 17:49:13 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-09-06 18:03:19 +0100
URL: https://github.com/rspamd/rspamd/commit/0d5d24b15877bce801381da5b161d62a4ef0bae9
[Project] Lua_magic: Moar patterns
---
lualib/lua_magic/patterns.lua | 151 +++++++++++++++++++++++++++++++++++++++++-
lualib/lua_magic/types.lua | 58 ++++++++++++++--
2 files changed, 202 insertions(+), 7 deletions(-)
diff --git a/lualib/lua_magic/patterns.lua b/lualib/lua_magic/patterns.lua
index a52baa790..dd723f6e8 100644
--- a/lualib/lua_magic/patterns.lua
+++ b/lualib/lua_magic/patterns.lua
@@ -98,6 +98,36 @@ local patterns = {
}
}
},
+ elf = {
+ matches = {
+ {
+ hex = [[7f454c46]],
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
+ lnk = {
+ matches = {
+ {
+ hex = [[4C0000000114020000000000C000000000000046]],
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
+ class = {
+ -- Technically, this also matches MachO files, but I don't care about
+ -- Apple and their mental health problems here: just consider Java files,
+ -- Mach object files and all other cafe babes as bad and block them!
+ matches = {
+ {
+ hex = [[cafebabe]],
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
-- Archives
arj = {
matches = {
@@ -120,7 +150,82 @@ local patterns = {
cab = {
matches = {
{
- string = [[MSCF]],
+ hex = [[4d53434600000000]], -- Can be anywhere for SFX :(
+ position = {'>=', 8},
+ weight = 60,
+ },
+ }
+ },
+ tar = {
+ matches = {
+ {
+ string = [[ustar]],
+ relative_position = 257,
+ weight = 60,
+ },
+ }
+ },
+ bz2 = {
+ matches = {
+ {
+ string = "BZ[h0]",
+ position = 3,
+ weight = 60,
+ },
+ }
+ },
+ lz4 = {
+ matches = {
+ {
+ hex = "184d2204",
+ relative_position = 0,
+ weight = 60,
+ },
+ {
+ hex = "184c2103",
+ relative_position = 0,
+ weight = 60,
+ },
+ {
+ hex = "184c2102",
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
+ zst = {
+ matches = {
+ {
+ string = [[\x{FD}\x{2F}\x{B5}[\x{22}-\x{40}].]],
+ position = 5, -- includes last .
+ weight = 60,
+ },
+ }
+ },
+ -- Apple is a 'special' child: this needs to be matched at the data tail...
+ dmg = {
+ matches = {
+ {
+ string = [[koly]],
+ position = -512 + 4,
+ weight = 61,
+ tail = 512,
+ },
+ }
+ },
+ szdd = {
+ matches = {
+ {
+ hex = [[535a4444]],
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
+ xz = {
+ matches = {
+ {
+ hex = [[FD377A585A00]],
relative_position = 0,
weight = 60,
},
@@ -163,6 +268,39 @@ local patterns = {
},
}
},
+ swf = {
+ matches = {
+ {
+ hex = [[5a5753]], -- LZMA
+ relative_position = 0,
+ weight = 60,
+ },
+ {
+ hex = [[435753]], -- Zlib
+ relative_position = 0,
+ weight = 60,
+ },
+ {
+ hex = [[465753]], -- Uncompressed
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
+ tiff = {
+ matches = {
+ {
+ hex = [[49492a00]], -- LE encoded
+ relative_position = 0,
+ weight = 60,
+ },
+ {
+ hex = [[4d4d]], -- BE tiff
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
-- Other
pgp = {
matches = {
@@ -177,7 +315,16 @@ local patterns = {
weight = 60,
},
}
- }
+ },
+ uue = {
+ matches = {
+ {
+ hex = [[626567696e20]],
+ relative_position = 0,
+ weight = 60,
+ },
+ }
+ },
}
return patterns
\ No newline at end of file
diff --git a/lualib/lua_magic/types.lua b/lualib/lua_magic/types.lua
index 667296715..20089c9c2 100644
--- a/lualib/lua_magic/types.lua
+++ b/lualib/lua_magic/types.lua
@@ -27,6 +27,18 @@ local types = {
ct = 'application/x-ms-application',
type = 'executable',
},
+ elf = {
+ ct = 'application/x-elf-executable',
+ type = 'executable',
+ },
+ lnk = {
+ ct = 'application/x-ms-application',
+ type = 'executable',
+ },
+ class = {
+ ct = 'application/x-java-applet',
+ type = 'executable',
+ },
-- text
rtf = {
ct = "application/rtf",
@@ -41,23 +53,51 @@ local types = {
type = 'binary',
},
chm = {
- ct = 'application/chm',
+ ct = 'application/x-chm',
type = 'binary',
},
djvu = {
- ct = 'application/djvu',
+ ct = 'application/x-djvu',
type = 'binary',
},
-- archives
arj = {
- ct = 'application/x-compressed',
+ ct = 'application/x-arj',
type = 'archive',
},
cab = {
- ct = 'application/x-compressed',
+ ct = 'application/x-cab',
type = 'archive',
},
ace = {
+ ct = 'application/x-ace',
+ type = 'archive',
+ },
+ tar = {
+ ct = 'application/x-tar',
+ type = 'archive',
+ },
+ bz2 = {
+ ct = 'application/x-bzip',
+ type = 'archive',
+ },
+ xz = {
+ ct = 'application/x-xz',
+ type = 'archive',
+ },
+ lz4 = {
+ ct = 'application/x-lz4',
+ type = 'archive',
+ },
+ zst = {
+ ct = 'application/x-zstandard',
+ type = 'archive',
+ },
+ dmg = {
+ ct = 'application/x-dmg',
+ type = 'archive',
+ },
+ szdd = { -- in fact, their MSDOS extension is like FOO.TX_ or FOO.TX$
ct = 'application/x-compressed',
type = 'archive',
},
@@ -82,11 +122,19 @@ local types = {
ct = 'image/ico',
type = 'image',
},
+ swf = {
+ ct = 'application/x-shockwave-flash',
+ type = 'image',
+ },
-- other
pgp = {
ct = 'application/encrypted',
type = 'encrypted'
- }
+ },
+ uue = {
+ ct = 'application/x-uuencoded',
+ type = 'binary',
+ },
}
return types
\ No newline at end of file
More information about the Commits
mailing list