[Rspamd-Users] Rspamd - oletools extended mode

Lemke, Björn Bjoern.Lemke at oberhausen.de
Tue Aug 25 12:52:33 UTC 2020 

Hej,

I am trying to get oletools (via olefy) working in extended mode. 
Default mode seems to be working nicely since the symbol "OLETOOLS" is set when confronted with a DOCM document containing an Autostart-Macro trying to start a windows shell command:
<snip>
OLETOOLS (15) [AutoExec + Suspicious (Document_New,Document_Open,Shell,WINDOWS)]
</snip>

So now I want to use oletools in extended mode in order to set specific symbols e.g. for "Macro Found", "Macro AutoExec" and "Macro Suspicious" to be able to attach distinct scores to each one of these symbols.
But I can't get get it to work. What am I missing?

Configuration below, thanks in advance for any hint!


Regards

Björn



===== local.d/external_services.conf =====
oletools {
  # default olefy settings
  servers = "127.0.0.1:10050"

  # needs to be set explicitly for Rspamd < 1.9.5
  scan_mime_parts = true;

  # mime-part regex matching in content-type or filename
  mime_parts_filter_regex {
    #UNKNOWN = "application\/octet-stream";
    DOC2 = "application\/msword";
    DOC3 = "application\/vnd\.ms-word.*";
    XLS = "application\/vnd\.ms-excel.*";
    PPT = "application\/vnd\.ms-powerpoint.*";
    GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
  }
  # mime-part filename extension matching (no regex)
  mime_parts_filter_ext {
    doc = "doc";
    dot = "dot";
    docx = "docx";
    dotx = "dotx";
    docm = "docm";
    dotm = "dotm";
    xls = "xls";
    xlt = "xlt";
    xla = "xla";
    xlsx = "xlsx";
    xltx = "xltx";
    xlsm = "xlsm";
    xltm = "xltm";
    xlam = "xlam";
    xlsb = "xlsb";
    ppt = "ppt";
    pot = "pot";
    pps = "pps";
    ppa = "ppa";
    pptx = "pptx";
    potx = "potx";
    ppsx = "ppsx";
    ppam = "ppam";
    pptm = "pptm";
    potm = "potm";
    ppsm = "ppsm";
  }
  patterns {
    # catch Macro, AutoExec, Suspicious and Hex Strings
    BAD_MACRO_MYFLAGS = '^MAS.H...$';
    BAD_MACRO_SHELL   = '^Shell$';
  }
}

===== local.d/external_services_group.conf =====
"OLETOOLS" {
    weight = 1.0;
    description = "OLETOOLS found a Macro";
    one_shot = true;
  }

More information about the Users mailing list