On 06/06/2009, at 1:59 AM, Thomas Eckardt/eck wrote:
> The name of the virus is
>
> 'Sanesecurity.Jurlbl.Auto.16581.UNOFFICIAL'
>
> but there is no matching regex
>
> Sanesecurity\.Jurlbl\.Auto\.x=>1.6
> Sanesecurity\.Jurlbl\.x=>2.6
>
> the trailing 'x' will the regex prevent from matching
> (a trailing 'i' is in
> (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.i=>4.6 )
> ???
>
> I think the regexes should be:
>
> Sanesecurity\.Jurlbl\.Auto\.=>1.6
> Sanesecurity\.Jurlbl\.=>2.6
> (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.=>4.6
>
> But your regex would not work in the current versions, because there
> are
> '|' inside the regexes.
> The complete regex will work to find a 'SuspiciousVirus' , but to
> get the
> weight, we need to separate the regex in its parts. Currently this
> is done
> by looking for '|' - but this will not work with your regex as you can
> see.
>
> while ($new =~ s/([^\|]+)?\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/$1/) {
>
> You should see this in the log while starting
>
> ...
> Info: SuspiciousVirus : regex Sanesecurity\.Jurlbl\.Auto\.x - weight
> set to 2.6
> ...
>
> some of your definitions should be not or wrong listed.
>
> I think the following part is hard to find:
> (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.i=>4.6
> and if someone wants it to do, the regexes parts could be very
> complex -
> much more than this one.
> I hope I've found a way to separate weighted regexes : a weighted
> regex
> has to begin and end with a '~' followed by '=>' and the weight
> value:
>
> ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.i~=>4.6
>
> and
>
> while ($new =~ s/\~([^\~]+)?\~\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/
> $1/)
> {
>
> hoping a '~' will be never be searched in a weighted regex.
>
> I'll implement it this way in 2.0.1_RC0.2.08 .
>
> Fields marked with an additional asterisk (**) accept a second weight
> value. Every weighted regex has to begin and end with a '~'
> followed by
> '=>' and the weight value. For example: ~spammer~=>1.45 or
> ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
> \.i~=>4.6
> . The character '~' has to be never used inside a weighted regular
> expression. The multiplication result of the weight and the penaltybox
> valence value will be used for scoring, if the absolute value of
> weight is
> less or equal 6. Otherwise the value of weight is used for
> scoring.<br />
>
>
> Thomas
Wow, thanks Thomas.
I've upgraded to 2.08 and this is my regex now:
~Phishing\.~=>4.6~Email.Spam\d{1,4}-SecuriteInfo~=>4.1~(Email|HTML|
Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)
\.~=>4.6~Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc|Casino)
\.~=>6.1~Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.~=>6.1~Sanesecurity
\.(Loan|Porn|Bou|Dipl|Cred)\.~=>6.1~Sanesecurity\.Jurlbl\.Auto
\.~=>2.6~Sanesecurity\.Jurlbl\.~=>2.6~winnow\.phish\.~=>6.1~winnow
\.spam\.~=>2.1~INetMsg\.SpamDomain-2w\.~=>2.0~INetMsg\.~=>1.0~(MSRBL-
Images\.)~=>2.1~(MSRBL-SPAM
\.)~=>5.1~Safebrowsing~=>1.25~Heuristics~=>1.25
It's quite hard to read all in one string. Perhaps use a file
interface like other sections where you can have lots of items in a
list.
That would allow people to use '~' in a regex too.
Anyway, I'll see how it goes.
Thanks again,
James.
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
