[Rspamd-Users] using oletools with olefy

dunc a.16bit.sysop at gmail.com
Mon Aug 31 12:35:00 UTC 2020


Hi,
I use the options in:
/etc/rspamd/modules.d/external_services.conf

It has the oletools config already, but I don't think the documentation has
been updated to reflect this.

So in my local.d/external_services.conf my oletools section is just:

oletools {
    type = "oletools";
    servers = "127.0.0.1:10050"
}



On Mon, 31 Aug 2020, 10:29 J. Echter, <j.echter at echter-kuechen-elektro.de>
wrote:

> Am 21.07.20 um 17:11 schrieb J. Echter:
> > Hi,
> >
> > i'd like to use the oletools with rspamd, but it doesn't work as
> > expected. (i commented below)
> >
> >
> > I have the following config files:
> >
> > local.d/external_services.conf
> >
> > oletools {
> >   # default olefy settings
> >   servers = "127.0.0.1:10632"
> >
> >   # needs to be set explicitly for Rspamd < 1.9.5
> >   scan_mime_parts = true;
> >
> >   # mime-part regex matching in content-type or filename
> >   mime_parts_filter_regex {
> >     #UNKNOWN = "application\/octet-stream";
> >     DOC2 = "application\/msword";
> >     DOC3 = "application\/vnd\.ms-word.*";
> >     XLS = "application\/vnd\.ms-excel.*";
> >     PPT = "application\/vnd\.ms-powerpoint.*";
> >     GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
> >   }
> >   # mime-part filename extension matching (no regex)
> >   mime_parts_filter_ext {
> >     doc = "doc";
> >     dot = "dot";
> >     docx = "docx";
> >     dotx = "dotx";
> >     docm = "docm";
> >     dotm = "dotm";
> >     xls = "xls";
> >     xlt = "xlt";
> >     xla = "xla";
> >     xlsx = "xlsx";
> >     xltx = "xltx";
> >     xlsm = "xlsm";
> >     xltm = "xltm";
> >     xlam = "xlam";
> >     xlsb = "xlsb";
> >     ppt = "ppt";
> >     pot = "pot";
> >     pps = "pps";
> >     ppa = "ppa";
> >     pptx = "pptx";
> >     potx = "potx";
> >     ppsx = "ppsx";
> >     ppam = "ppam";
> >     pptm = "pptm";
> >     potm = "potm";
> >     ppsm = "ppsm";
> >   }
> >   patterns {
> >     # catch Macro, AutoExec, Suspicious and Hex Strings
> >     BAD_MACRO_MYFLAGS = '^MAS.H...$';
> >     BAD_MACRO_SHELL   = '^Shell$';
> >   }
> > }
> >
> > local.d/external_services_group.conf
> >
> > "OLETOOLS" {
> >     weight = 1.0;
> >     description = "OLETOOLS found a Macro";
> >     one_shot = true;
> >   }
> >
> > Also i set olefy (i set debug logging in the conf) up and it is running:
> >
> > Jul 21 17:02:54 mail systemd[1]: Started olefy Socket Service.
> > Jul 21 17:02:54 mail python3[22283]: olefy DEBUG <module> olefy listen
> > address string: 127.0.0.1, ::1 (type <class 'str'>)
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> > address: ['127.0.0.1', '::1'] (type: <class 'list'>)
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
> > port: 10632
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy tmp dir:
> /tmp
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy python
> > path: /usr/bin/python3
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy olvba
> > path: /usr/bin/olevba-3
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy log
> level: 10
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy min file
> > length: 500
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> > tmp file: 1
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
> > tmp file when failed: 1
> > Jul 21 17:02:54 mail python3[22283]: olefy DEBUG __init__ Using
> > selector: EpollSelector
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> > ('127.0.0.1', 10632)
> > Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
> > ('::1', 10632, 0, 0)
> >
> > I have seen one connection made from rspamd by sending a .doc testmail:
> >
> > Jul 21 16:53:35 mail python3[21894]: olefy DEBUG connection_made
> > ('127.0.0.1', 48336) new connection was made
> > Jul 21 16:53:35 mail python3[21894]: olefy DEBUG data_received
> > ('127.0.0.1', 48336) data received from new connection
> > Jul 21 16:53:35 mail python3[21894]: olefy DEBUG protocol_split
> > olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID':
> > '068495c07a7c5942887'}
> > Jul 21 16:53:35 mail python3[21894]: olefy DEBUG eof_received <068495>
> > /tmp/1595343215.9703288.48336 choosen as tmp filename
> > Jul 21 16:53:35 mail python3[21894]: olefy INFO eof_received <068495>
> > 30208 bytes (stream size)
> > Jul 21 16:53:35 mail python3[21894]: olefy INFO oletools <068495>
> > application/msword (libmagic output)
> > Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> > /tmp/1595343215.9703288.48336 deleting tmp file
> > Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
> > response: [  {    "script_name": "olevba",    "version": "0.54.2",
> > "url": "http://decalage.info/python/oletools",    "type":
> > "MetaInformation"  },  {    "container": null,    "file":
> > "/tmp/1595343215.9703288.48336",    "json_conversion_successful":
> > true,    "analysis": null,    "code_deobfuscated": null,
> > "do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {
> > "type": "MetaInformation",    "return_code": 0,    "n_processed": 1  }]
> > Jul 21 16:53:36 mail python3[21894]: olefy INFO eof_received <068495>
> > ('127.0.0.1', 48336) response send: b'[  {    "script_name":
> > "olevba",    "version": "0.54.2",    "url":
> > "http://decalage.info/python/oletools",    "type": "MetaInformation"
> > },  {    "container": null,    "file":
> > "/tmp/1595343215.9703288.48336",    "json_conversion_successful":
> > true,    "analysis": null,    "code_deobfuscated": null,
> > "do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {
> > "type": "MetaInformation",    "return_code": 0,    "n_processed": 1
> > }]\t\n\n\t'
> >
> > But i havent seen any other doc files scanned after the above one, i
> > sent quite a few mails after that.
> >
> > Also i don't see "oletools" in the X-Spamd-Results in the mail source.
> >
> > I'm on centos 7 and rspamd is from the rspamd repo (version 2.5), also i
> > cloned the olefy github repo and set everything up as described there. I
> > installed python36-oletools with yum and did pip3 install python-magic,
> > the python-magic i could install with yum didn't seem to work.
> >
> > Anything i have overlooked?
> >
> > Thanks for helping me :)
> >
> > Juergen
> >
> >
>
> Hi,
>
> i'm still trying to get this running.
>
> I have seen in my history the following:
>
> cannot add dependency from BAD_MACRO_MYFLAGS on OLETOOLS: invalid symbol
> types
>
> What does this mean? Am i missing some configuration options there?
>
> Thanks for your help
>
>
> Juergen
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>


More information about the Users mailing list