Hi Thomas
Just to confirm, in file:files/bombdatare.txt I add in one line,
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
Thanks
Dale
----- Original Message -----
From: "Thomas Eckardt" <thomas.ecka...@thockar.com>
To: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Sent: Friday, September 10, 2010 1:13 AM
Subject: Re: [Assp-test] Blocking the new email virus
> To detect very bad URL's, I recommend to use 'a bit more' extended
> regexes.
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
> [^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?i:scr)
>
>
> The last part (?i:scr) could be expanded to your needs, to detect also
> other extensions like (?i:scr|com|bat|exe) - or you may use the default
> 'bad attachment level 1 re'
> (?i:ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)
> for this part of the regex
>
> If you only want to detect the '.scr' - change this part to :
> (?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
>
> The complete regex for the '.scr' case would be (all in one line!!!):
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
> This regex also detects the URL's if they are obfuscated using dec or hex
> html tags.
>
> Use the regex in 'bombDataRe'.
>
> to show the regex in a more simple way:
> (?:ht|f)tps?\:\/\/[^\x00-\x1F\x7F-\xFF]{10,}?\.scr
> in words: (ht) or (f) followed by (tp) followed by (s or nothing) followed
> by (://) followed by (at least 10 ASCII non CTL characters) followed by
> (.) followed by (scr)
> any single character is repesented by a term like:
> (?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h) <--- this is the 'h'
> which could be html-encoded hex 48 or 68 or decimal 72 or 104 or simply
> the h or H
>
>>especially in ASSP
>
> there is nothing special in ASSP regexes - simply Perl .
>
> Thomas
>
>
>
>
> Von: K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 10.09.2010 03:28
> Betreff: [Assp-test] Blocking the new email virus
>
>
>
>
> Looks like there's a new email worm going around that's becoming a
> problem.
>
> *http://www.us-cert.gov/current/index.html#here_you_have_email_malware*<
> http://www.us-cert.gov/current/index.html#here_you_have_email_malware>
> http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/
>
> http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910
>
>
>
> Anyone have a regex to block these emails? It looks like they're links
> that
> appear to be a PDF but it's really a .scr file.
>
> Would:
> http:\/\/[\w\.\/\-]{10,500}\.scr
> work?
>
> I'm thinking this would block http:// followed by 10-500 letters, numbers,
> underscore (\w), a dot (\.), a slash (\/) or a dash (\-) followed by .scr,
> but I'm terrible with regex, especially in ASSP. Suggestions?
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
--------------------------------------------------------------------------------
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
--------------------------------------------------------------------------------
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
