[Rspamd-Users] using oletools with olefy
J. Echter
j.echter at echter-kuechen-elektro.de
Mon Aug 31 09:26:15 UTC 2020
Am 21.07.20 um 17:11 schrieb J. Echter:
> Hi,
>
> i'd like to use the oletools with rspamd, but it doesn't work as
> expected. (i commented below)
>
>
> I have the following config files:
>
> local.d/external_services.conf
>
> oletools {
> # default olefy settings
> servers = "127.0.0.1:10632"
>
> # needs to be set explicitly for Rspamd < 1.9.5
> scan_mime_parts = true;
>
> # mime-part regex matching in content-type or filename
> mime_parts_filter_regex {
> #UNKNOWN = "application\/octet-stream";
> DOC2 = "application\/msword";
> DOC3 = "application\/vnd\.ms-word.*";
> XLS = "application\/vnd\.ms-excel.*";
> PPT = "application\/vnd\.ms-powerpoint.*";
> GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
> }
> # mime-part filename extension matching (no regex)
> mime_parts_filter_ext {
> doc = "doc";
> dot = "dot";
> docx = "docx";
> dotx = "dotx";
> docm = "docm";
> dotm = "dotm";
> xls = "xls";
> xlt = "xlt";
> xla = "xla";
> xlsx = "xlsx";
> xltx = "xltx";
> xlsm = "xlsm";
> xltm = "xltm";
> xlam = "xlam";
> xlsb = "xlsb";
> ppt = "ppt";
> pot = "pot";
> pps = "pps";
> ppa = "ppa";
> pptx = "pptx";
> potx = "potx";
> ppsx = "ppsx";
> ppam = "ppam";
> pptm = "pptm";
> potm = "potm";
> ppsm = "ppsm";
> }
> patterns {
> # catch Macro, AutoExec, Suspicious and Hex Strings
> BAD_MACRO_MYFLAGS = '^MAS.H...$';
> BAD_MACRO_SHELL = '^Shell$';
> }
> }
>
> local.d/external_services_group.conf
>
> "OLETOOLS" {
> weight = 1.0;
> description = "OLETOOLS found a Macro";
> one_shot = true;
> }
>
> Also i set olefy (i set debug logging in the conf) up and it is running:
>
> Jul 21 17:02:54 mail systemd[1]: Started olefy Socket Service.
> Jul 21 17:02:54 mail python3[22283]: olefy DEBUG <module> olefy listen
> address string: 127.0.0.1, ::1 (type <class 'str'>)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> address: ['127.0.0.1', '::1'] (type: <class 'list'>)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> port: 10632
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy tmp dir: /tmp
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy python
> path: /usr/bin/python3
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy olvba
> path: /usr/bin/olevba-3
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy log level: 10
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy min file
> length: 500
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> tmp file: 1
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> tmp file when failed: 1
> Jul 21 17:02:54 mail python3[22283]: olefy DEBUG __init__ Using
> selector: EpollSelector
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> ('127.0.0.1', 10632)
> Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> ('::1', 10632, 0, 0)
>
> I have seen one connection made from rspamd by sending a .doc testmail:
>
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG connection_made
> ('127.0.0.1', 48336) new connection was made
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG data_received
> ('127.0.0.1', 48336) data received from new connection
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG protocol_split
> olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID':
> '068495c07a7c5942887'}
> Jul 21 16:53:35 mail python3[21894]: olefy DEBUG eof_received <068495>
> /tmp/1595343215.9703288.48336 choosen as tmp filename
> Jul 21 16:53:35 mail python3[21894]: olefy INFO eof_received <068495>
> 30208 bytes (stream size)
> Jul 21 16:53:35 mail python3[21894]: olefy INFO oletools <068495>
> application/msword (libmagic output)
> Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> /tmp/1595343215.9703288.48336 deleting tmp file
> Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> response: [ { "script_name": "olevba", "version": "0.54.2",
> "url": "http://decalage.info/python/oletools", "type":
> "MetaInformation" }, { "container": null, "file":
> "/tmp/1595343215.9703288.48336", "json_conversion_successful":
> true, "analysis": null, "code_deobfuscated": null,
> "do_deobfuscate": false, "type": "OLE", "macros": [] }, {
> "type": "MetaInformation", "return_code": 0, "n_processed": 1 }]
> Jul 21 16:53:36 mail python3[21894]: olefy INFO eof_received <068495>
> ('127.0.0.1', 48336) response send: b'[ { "script_name":
> "olevba", "version": "0.54.2", "url":
> "http://decalage.info/python/oletools", "type": "MetaInformation"
> }, { "container": null, "file":
> "/tmp/1595343215.9703288.48336", "json_conversion_successful":
> true, "analysis": null, "code_deobfuscated": null,
> "do_deobfuscate": false, "type": "OLE", "macros": [] }, {
> "type": "MetaInformation", "return_code": 0, "n_processed": 1
> }]\t\n\n\t'
>
> But i havent seen any other doc files scanned after the above one, i
> sent quite a few mails after that.
>
> Also i don't see "oletools" in the X-Spamd-Results in the mail source.
>
> I'm on centos 7 and rspamd is from the rspamd repo (version 2.5), also i
> cloned the olefy github repo and set everything up as described there. I
> installed python36-oletools with yum and did pip3 install python-magic,
> the python-magic i could install with yum didn't seem to work.
>
> Anything i have overlooked?
>
> Thanks for helping me :)
>
> Juergen
>
>
Hi,
i'm still trying to get this running.
I have seen in my history the following:
cannot add dependency from BAD_MACRO_MYFLAGS on OLETOOLS: invalid symbol
types
What does this mean? Am i missing some configuration options there?
Thanks for your help
Juergen
More information about the Users
mailing list