[Rspamd-Users] using oletools with olefy

Tue Jul 21 15:11:42 UTC 2020

Hi,

i'd like to use the oletools with rspamd, but it doesn't work as
expected. (i commented below)

I have the following config files:

local.d/external_services.conf

oletools {
  # default olefy settings
  servers = "127.0.0.1:10632"

  # needs to be set explicitly for Rspamd < 1.9.5
  scan_mime_parts = true;

  # mime-part regex matching in content-type or filename
  mime_parts_filter_regex {
    #UNKNOWN = "application\/octet-stream";
    DOC2 = "application\/msword";
    DOC3 = "application\/vnd\.ms-word.*";
    XLS = "application\/vnd\.ms-excel.*";
    PPT = "application\/vnd\.ms-powerpoint.*";
    GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
  }
  # mime-part filename extension matching (no regex)
  mime_parts_filter_ext {
    doc = "doc";
    dot = "dot";
    docx = "docx";
    dotx = "dotx";
    docm = "docm";
    dotm = "dotm";
    xls = "xls";
    xlt = "xlt";
    xla = "xla";
    xlsx = "xlsx";
    xltx = "xltx";
    xlsm = "xlsm";
    xltm = "xltm";
    xlam = "xlam";
    xlsb = "xlsb";
    ppt = "ppt";
    pot = "pot";
    pps = "pps";
    ppa = "ppa";
    pptx = "pptx";
    potx = "potx";
    ppsx = "ppsx";
    ppam = "ppam";
    pptm = "pptm";
    potm = "potm";
    ppsm = "ppsm";
  }
  patterns {
    # catch Macro, AutoExec, Suspicious and Hex Strings
    BAD_MACRO_MYFLAGS = '^MAS.H...$';
    BAD_MACRO_SHELL   = '^Shell$';
  }
}

local.d/external_services_group.conf

"OLETOOLS" {
    weight = 1.0;
    description = "OLETOOLS found a Macro";
    one_shot = true;
  }

Also i set olefy (i set debug logging in the conf) up and it is running:

Jul 21 17:02:54 mail systemd[1]: Started olefy Socket Service.
Jul 21 17:02:54 mail python3[22283]: olefy DEBUG <module> olefy listen
address string: 127.0.0.1, ::1 (type <class 'str'>)
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
address: ['127.0.0.1', '::1'] (type: <class 'list'>)
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy listen
port: 10632
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy tmp dir: /tmp
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy python
path: /usr/bin/python3
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy olvba
path: /usr/bin/olevba-3
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy log level: 10
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy min file
length: 500
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
tmp file: 1
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> olefy delete
tmp file when failed: 1
Jul 21 17:02:54 mail python3[22283]: olefy DEBUG __init__ Using
selector: EpollSelector
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
('127.0.0.1', 10632)
Jul 21 17:02:54 mail python3[22283]: olefy INFO <module> serving on
('::1', 10632, 0, 0)

I have seen one connection made from rspamd by sending a .doc testmail:

Jul 21 16:53:35 mail python3[21894]: olefy DEBUG connection_made
('127.0.0.1', 48336) new connection was made
Jul 21 16:53:35 mail python3[21894]: olefy DEBUG data_received
('127.0.0.1', 48336) data received from new connection
Jul 21 16:53:35 mail python3[21894]: olefy DEBUG protocol_split
olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID':
'068495c07a7c5942887'}
Jul 21 16:53:35 mail python3[21894]: olefy DEBUG eof_received <068495>
/tmp/1595343215.9703288.48336 choosen as tmp filename
Jul 21 16:53:35 mail python3[21894]: olefy INFO eof_received <068495>
30208 bytes (stream size)
Jul 21 16:53:35 mail python3[21894]: olefy INFO oletools <068495>
application/msword (libmagic output)
Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
/tmp/1595343215.9703288.48336 deleting tmp file
Jul 21 16:53:36 mail python3[21894]: olefy DEBUG oletools <068495>
response: [  {    "script_name": "olevba",    "version": "0.54.2",   
"url": "http://decalage.info/python/oletools",    "type":
"MetaInformation"  },  {    "container": null,    "file":
"/tmp/1595343215.9703288.48336",    "json_conversion_successful":
true,    "analysis": null,    "code_deobfuscated": null,   
"do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {   
"type": "MetaInformation",    "return_code": 0,    "n_processed": 1  }]
Jul 21 16:53:36 mail python3[21894]: olefy INFO eof_received <068495>
('127.0.0.1', 48336) response send: b'[  {    "script_name":
"olevba",    "version": "0.54.2",    "url":
"http://decalage.info/python/oletools",    "type": "MetaInformation" 
},  {    "container": null,    "file":
"/tmp/1595343215.9703288.48336",    "json_conversion_successful":
true,    "analysis": null,    "code_deobfuscated": null,   
"do_deobfuscate": false,    "type": "OLE",    "macros": []  },  {   
"type": "MetaInformation",    "return_code": 0,    "n_processed": 1 
}]\t\n\n\t'

But i havent seen any other doc files scanned after the above one, i
sent quite a few mails after that.

Also i don't see "oletools" in the X-Spamd-Results in the mail source.

I'm on centos 7 and rspamd is from the rspamd repo (version 2.5), also i
cloned the olefy github repo and set everything up as described there. I
installed python36-oletools with yum and did pip3 install python-magic,
the python-magic i could install with yum didn't seem to work.

Anything i have overlooked?

Thanks for helping me :)

Juergen