[Rspamd-Users] Rspamd - oletools extended mode

Tue Aug 25 17:04:20 UTC 2020

Hey,

your config seems to be correct, but you need to add extended=true.

Sorry this option is clearly missing in the documentation.

https://github.com/rspamd/rspamd.com/pull/468

--
Carsten

On 25.08.20 14:52, Lemke, Björn wrote:
> Hej,
> 
> I am trying to get oletools (via olefy) working in extended mode. 
> Default mode seems to be working nicely since the symbol "OLETOOLS" is set when confronted with a DOCM document containing an Autostart-Macro trying to start a windows shell command:
> <snip>
> OLETOOLS (15) [AutoExec + Suspicious (Document_New,Document_Open,Shell,WINDOWS)]
> </snip>
> 
> So now I want to use oletools in extended mode in order to set specific symbols e.g. for "Macro Found", "Macro AutoExec" and "Macro Suspicious" to be able to attach distinct scores to each one of these symbols.
> But I can't get get it to work. What am I missing?
> 
> Configuration below, thanks in advance for any hint!
> 
> 
> Regards
> 
> Björn
> 
> 
> 
> ===== local.d/external_services.conf =====
> oletools {
>   # default olefy settings
>   servers = "127.0.0.1:10050"
> 
>   # needs to be set explicitly for Rspamd < 1.9.5
>   scan_mime_parts = true;
> 
>   # mime-part regex matching in content-type or filename
>   mime_parts_filter_regex {
>     #UNKNOWN = "application\/octet-stream";
>     DOC2 = "application\/msword";
>     DOC3 = "application\/vnd\.ms-word.*";
>     XLS = "application\/vnd\.ms-excel.*";
>     PPT = "application\/vnd\.ms-powerpoint.*";
>     GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
>   }
>   # mime-part filename extension matching (no regex)
>   mime_parts_filter_ext {
>     doc = "doc";
>     dot = "dot";
>     docx = "docx";
>     dotx = "dotx";
>     docm = "docm";
>     dotm = "dotm";
>     xls = "xls";
>     xlt = "xlt";
>     xla = "xla";
>     xlsx = "xlsx";
>     xltx = "xltx";
>     xlsm = "xlsm";
>     xltm = "xltm";
>     xlam = "xlam";
>     xlsb = "xlsb";
>     ppt = "ppt";
>     pot = "pot";
>     pps = "pps";
>     ppa = "ppa";
>     pptx = "pptx";
>     potx = "potx";
>     ppsx = "ppsx";
>     ppam = "ppam";
>     pptm = "pptm";
>     potm = "potm";
>     ppsm = "ppsm";
>   }
>   patterns {
>     # catch Macro, AutoExec, Suspicious and Hex Strings
>     BAD_MACRO_MYFLAGS = '^MAS.H...$';
>     BAD_MACRO_SHELL   = '^Shell$';
>   }
> }
> 
> ===== local.d/external_services_group.conf =====
> "OLETOOLS" {
>     weight = 1.0;
>     description = "OLETOOLS found a Macro";
>     one_shot = true;
>   }
> 