[Rspamd-Users] using oletools with olefy

J. Echter j.echter at echter-kuechen-elektro.de
Mon Aug 31 09:26:15 UTC 2020


Am 21.07.20 um 17:11 schrieb J. Echter:
> Hi,
>
> i'd like to use the oletools with rspamd, but it doesn't work as
> expected. (i commented below)
>
>
> I have the following config files:
>
> local.d/external_services.conf
>
> oletools {
>   # default olefy settings
>   servers = "127.0.0.1:10632"
>
>   # needs to be set explicitly for Rspamd < 1.9.5
>   scan_mime_parts = true;
>
>   # mime-part regex matching in content-type or filename
>   mime_parts_filter_regex {
>     #UNKNOWN = "application\/octet-stream";
>     DOC2 = "application\/msword";
>     DOC3 = "application\/vnd\.ms-word.*";
>     XLS = "application\/vnd\.ms-excel.*";
>     PPT = "application\/vnd\.ms-powerpoint.*";
>     GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
>   }
>   # mime-part filename extension matching (no regex)
>   mime_parts_filter_ext {
>     doc = "doc";
>     dot = "dot";
>     docx = "docx";
>     dotx = "dotx";
>     docm = "docm";
>     dotm = "dotm";
>     xls = "xls";
>     xlt = "xlt";
>     xla = "xla";
>     xlsx = "xlsx";
>     xltx = "xltx";
>     xlsm = "xlsm";
>     xltm = "xltm";
>     xlam = "xlam";
>     xlsb = "xlsb";
>     ppt = "ppt";
>     pot = "pot";
>     pps = "pps";
>     ppa = "ppa";
>     pptx = "pptx";
>     potx = "potx";
>     ppsx = "ppsx";
>     ppam = "ppam";
>     pptm = "pptm";
>     potm = "potm";
>     ppsm = "ppsm";
>   }
>   patterns {
>     # catch Macro, AutoExec, Suspicious and Hex Strings
>     BAD_MACRO_MYFLAGS = '^MAS.H...$';
>     BAD_MACRO_SHELL   = '^Shell$';
>   }
> }
>
> local.d/external_services_group.conf
>
> "OLETOOLS" {
>     weight = 1.0;
>     description = "OLETOOLS found a Macro";
>     one_shot = true;
>   }
>
> Also i set olefy (i set debug logging in the conf) up and it is running:
>
> Jul 21 17:02:54 mail systemd[1]: Started olefy Socket Service.
> Jul 21 17:02:54 mail python3[22283]: olefy DEBUG <module> olefy listen
> address string: 127.0.0.1, ::1 (type <class 'str'>)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> address: ['127.0.0.1', '::1'] (type: <class 'list'>)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> port: 10632
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy tmp dir: /tmp
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy python
> path: /usr/bin/python3
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy olvba
> path: /usr/bin/olevba-3
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy log level: 10
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy min file
> length: 500
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> tmp file: 1
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> tmp file when failed: 1
> Jul 21 17:02:54 mail python3[22283]: olefy DEBUG __init__ Using
> selector: EpollSelector
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> ('127.0.0.1', 10632)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> ('::1', 10632, 0, 0)
>
> I have seen one connection made from rspamd by sending a .doc testmail:
>
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG connection_made
> ('127.0.0.1', 48336) new connection was made
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG data_received
> ('127.0.0.1', 48336) data received from new connection
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG protocol_split
> olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID':
> '068495c07a7c5942887'}
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG eof_received <068495>
> /tmp/1595343215.9703288.48336 choosen as tmp filename
> Jul 21 16:53:35 mail python3[21894]: olefy INFO eof_received <068495>
> 30208 bytes (stream size)
> Jul 21 16:53:35 mail python3[21894]: olefy INFO oletools <068495>
> application/msword (libmagic output)
> Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> /tmp/1595343215.9703288.48336 deleting tmp file
> Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> response: [  {    "script_name": "olevba",    "version": "0.54.2",   
> "url": "http://decalage.info/python/oletools",    "type":
> "MetaInformation"  },  {    "container": null,    "file":
> "/tmp/1595343215.9703288.48336",    "json_conversion_successful":
> true,    "analysis": null,    "code_deobfuscated": null,   
> "do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {   
> "type": "MetaInformation",    "return_code": 0,    "n_processed": 1  }]
> Jul 21 16:53:36 mail python3[21894]: olefy INFO eof_received <068495>
> ('127.0.0.1', 48336) response send: b'[  {    "script_name":
> "olevba",    "version": "0.54.2",    "url":
> "http://decalage.info/python/oletools",    "type": "MetaInformation" 
> },  {    "container": null,    "file":
> "/tmp/1595343215.9703288.48336",    "json_conversion_successful":
> true,    "analysis": null,    "code_deobfuscated": null,   
> "do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {   
> "type": "MetaInformation",    "return_code": 0,    "n_processed": 1 
> }]\t\n\n\t'
>
> But i havent seen any other doc files scanned after the above one, i
> sent quite a few mails after that.
>
> Also i don't see "oletools" in the X-Spamd-Results in the mail source.
>
> I'm on centos 7 and rspamd is from the rspamd repo (version 2.5), also i
> cloned the olefy github repo and set everything up as described there. I
> installed python36-oletools with yum and did pip3 install python-magic,
> the python-magic i could install with yum didn't seem to work.
>
> Anything i have overlooked?
>
> Thanks for helping me :)
>
> Juergen
>
>

Hi,

i'm still trying to get this running.

I have seen in my history the following:

cannot add dependency from BAD_MACRO_MYFLAGS on OLETOOLS: invalid symbol
types

What does this mean? Am i missing some configuration options there?

Thanks for your help


Juergen



More information about the Users mailing list