[Rspamd-Users] Rspamd - oletools extended mode
Lemke, Björn
Bjoern.Lemke at oberhausen.de
Thu Sep 3 09:52:44 UTC 2020
Hej Carsten,
thanks a lot, that did the trick, oletools is working in extended mode now.
But there's one thing I seem to have gotten wrong.
On my test system it seems like oletools only sets symbols when a threat is found and not, as stated in the documentation, " when at least a macro was found".
I want to have a symbol set if oletools finds any macro, even a totally harmless one.
Is there a way to achieve that?
Regards
Björn
> -----Ursprüngliche Nachricht-----
> Von: Users [mailto:users-bounces at lists.rspamd.com] Im Auftrag von
> Carsten Rosenberg
> Gesendet: Dienstag, 25. August 2020 19:04
> An: users at lists.rspamd.com
> Betreff: Re: [Rspamd-Users] Rspamd - oletools extended mode
>
> Hey,
>
> your config seems to be correct, but you need to add extended=true.
>
> Sorry this option is clearly missing in the documentation.
>
>
> https://github.com/rspamd/rspamd.com/pull/468
>
> --
> Carsten
>
>
> On 25.08.20 14:52, Lemke, Björn wrote:
> > Hej,
> >
> > I am trying to get oletools (via olefy) working in extended mode.
> > Default mode seems to be working nicely since the symbol "OLETOOLS" is
> set when confronted with a DOCM document containing an Autostart-Macro
> trying to start a windows shell command:
> > <snip>
> > OLETOOLS (15) [AutoExec + Suspicious
> (Document_New,Document_Open,Shell,WINDOWS)]
> > </snip>
> >
> > So now I want to use oletools in extended mode in order to set specific
> symbols e.g. for "Macro Found", "Macro AutoExec" and "Macro Suspicious"
> to be able to attach distinct scores to each one of these symbols.
> > But I can't get get it to work. What am I missing?
> >
> > Configuration below, thanks in advance for any hint!
> >
> >
> > Regards
> >
> > Björn
> >
> >
> >
> > ===== local.d/external_services.conf =====
> > oletools {
> > # default olefy settings
> > servers = "127.0.0.1:10050"
> >
> > # needs to be set explicitly for Rspamd < 1.9.5
> > scan_mime_parts = true;
> >
> > # mime-part regex matching in content-type or filename
> > mime_parts_filter_regex {
> > #UNKNOWN = "application\/octet-stream";
> > DOC2 = "application\/msword";
> > DOC3 = "application\/vnd\.ms-word.*";
> > XLS = "application\/vnd\.ms-excel.*";
> > PPT = "application\/vnd\.ms-powerpoint.*";
> > GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
> > }
> > # mime-part filename extension matching (no regex)
> > mime_parts_filter_ext {
> > doc = "doc";
> > dot = "dot";
> > docx = "docx";
> > dotx = "dotx";
> > docm = "docm";
> > dotm = "dotm";
> > xls = "xls";
> > xlt = "xlt";
> > xla = "xla";
> > xlsx = "xlsx";
> > xltx = "xltx";
> > xlsm = "xlsm";
> > xltm = "xltm";
> > xlam = "xlam";
> > xlsb = "xlsb";
> > ppt = "ppt";
> > pot = "pot";
> > pps = "pps";
> > ppa = "ppa";
> > pptx = "pptx";
> > potx = "potx";
> > ppsx = "ppsx";
> > ppam = "ppam";
> > pptm = "pptm";
> > potm = "potm";
> > ppsm = "ppsm";
> > }
> > patterns {
> > # catch Macro, AutoExec, Suspicious and Hex Strings
> > BAD_MACRO_MYFLAGS = '^MAS.H...$';
> > BAD_MACRO_SHELL = '^Shell$';
> > }
> > }
> >
> > ===== local.d/external_services_group.conf =====
> > "OLETOOLS" {
> > weight = 1.0;
> > description = "OLETOOLS found a Macro";
> > one_shot = true;
> > }
> >
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list