To detect very bad URL's, I recommend to use 'a bit more' extended
regexes.
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?i:scr)
The last part (?i:scr) could be expanded to your needs, to detect also
other extensions like (?i:scr|com|bat|exe) - or you may use the default
'bad attachment level 1 re'
(?i:ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)
for this part of the regex
If you only want to detect the '.scr' - change this part to :
(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
The complete regex for the '.scr' case would be (all in one line!!!):
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
This regex also detects the URL's if they are obfuscated using dec or hex
html tags.
Use the regex in 'bombDataRe'.
to show the regex in a more simple way:
(?:ht|f)tps?\:\/\/[^\x00-\x1F\x7F-\xFF]{10,}?\.scr
in words: (ht) or (f) followed by (tp) followed by (s or nothing) followed
by (://) followed by (at least 10 ASCII non CTL characters) followed by
(.) followed by (scr)
any single character is repesented by a term like:
(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h) <--- this is the 'h'
which could be html-encoded hex 48 or 68 or decimal 72 or 104 or simply
the h or H
>especially in ASSP
there is nothing special in ASSP regexes - simply Perl .
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 10.09.2010 03:28
Betreff: [Assp-test] Blocking the new email virus
Looks like there's a new email worm going around that's becoming a
problem.
*http://www.us-cert.gov/current/index.html#here_you_have_email_malware*<
http://www.us-cert.gov/current/index.html#here_you_have_email_malware>
http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/
http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910
Anyone have a regex to block these emails? It looks like they're links
that
appear to be a PDF but it's really a .scr file.
Would:
http:\/\/[\w\.\/\-]{10,500}\.scr
work?
I'm thinking this would block http:// followed by 10-500 letters, numbers,
underscore (\w), a dot (\.), a slash (\/) or a dash (\-) followed by .scr,
but I'm terrible with regex, especially in ASSP. Suggestions?
------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
