THANK YOU THOMAS, not just for the regex but for the clear explanation!
I didn't mean to imply that ASSP was a problem or anything, just that with
email brings line breaks, hex and dec encoding, etc...
The a-d-n-o-r command that you wrote about goes in the config file? That
disables optimization for the entire file?
Is there a way to not optimize only some lines instead of all?
On Fri, Sep 10, 2010 at 11:00 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:
> This variant is more exact (and tested !),
>
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:\=(?:\015?\012|\015))?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:\=(?:\015?\012|\015))?(?:(?:[\=\%]2[fF]|\&\#0?47\;?|\/)(?:\=(?:\015?\012|\015))?){2}(?:[\x20-\x7E](?:\=(?:\015?\012|\015))?){10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:\=(?:\015?\012|\015))?(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
> because the links could be very long - the html lines will be terminated
> (?:\=(?:\015?\012|\015)) at any possition of the text - like here:
>
> <html><head><style type=3D"text/css"><!-- DIV {margin:0px;}
> --></style></he=
> ad><body><div style=3D"font-family:times new roman, new york, times,
> serif;=
> font-size:12pt"><DIV><A href=3D"
> http://www.t-online.de/test/haouse/woister.=
> scr">http://www.t-online.de/test/haouse/woister.scr
> </A></DIV>=0A<DIV> =
> </DIV>=0A<DIV></DIV></div><br></body></html>
>
> Please switch off the regex optimizer by writing 'a-d-n-o-r' (without the
> quotes) as first line in file. This regex is too complex to get optimized.
>
> Thomas
>
>
>
> Von: "Dale" <dbr...@columbusinternational.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
> Datum: 10.09.2010 15:19
> Betreff: Re: [Assp-test] Blocking the new email virus
>
>
>
>
> Hi Thomas
>
> Just to confirm, in file:files/bombdatare.txt I add in one line,
>
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
>
> Thanks
>
> Dale
>
>
>
>
> ----- Original Message -----
> From: "Thomas Eckardt" <thomas.ecka...@thockar.com>
> To: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
> Sent: Friday, September 10, 2010 1:13 AM
> Subject: Re: [Assp-test] Blocking the new email virus
>
>
> > To detect very bad URL's, I recommend to use 'a bit more' extended
> > regexes.
> >
> >
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
> > [^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?i:scr)
> >
> >
> > The last part (?i:scr) could be expanded to your needs, to detect also
> > other extensions like (?i:scr|com|bat|exe) - or you may use the default
> > 'bad attachment level 1 re'
> >
>
> (?i:ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)
> > for this part of the regex
> >
> > If you only want to detect the '.scr' - change this part to :
> >
>
> (?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
> >
> >
> > The complete regex for the '.scr' case would be (all in one line!!!):
> >
> >
>
> (?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
> >
> > This regex also detects the URL's if they are obfuscated using dec or
> hex
> > html tags.
> >
> > Use the regex in 'bombDataRe'.
> >
> > to show the regex in a more simple way:
> > (?:ht|f)tps?\:\/\/[^\x00-\x1F\x7F-\xFF]{10,}?\.scr
> > in words: (ht) or (f) followed by (tp) followed by (s or nothing)
> followed
> > by (://) followed by (at least 10 ASCII non CTL characters) followed by
> > (.) followed by (scr)
> > any single character is repesented by a term like:
> > (?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h) <--- this is the 'h'
> > which could be html-encoded hex 48 or 68 or decimal 72 or 104 or
> simply
> > the h or H
> >
> >>especially in ASSP
> >
> > there is nothing special in ASSP regexes - simply Perl .
> >
> > Thomas
> >
> >
> >
> >
> > Von: K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum: 10.09.2010 03:28
> > Betreff: [Assp-test] Blocking the new email virus
> >
> >
> >
> >
> > Looks like there's a new email worm going around that's becoming a
> > problem.
> >
> > *http://www.us-cert.gov/current/index.html#here_you_have_email_malware*<
> > http://www.us-cert.gov/current/index.html#here_you_have_email_malware>
> >
>
> http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/
>
> >
> >
>
> http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910
>
> >
> >
> >
> > Anyone have a regex to block these emails? It looks like they're links
> > that
> > appear to be a PDF but it's really a .scr file.
> >
> > Would:
> > http:\/\/[\w\.\/\-]{10,500}\.scr
> > work?
> >
> > I'm thinking this would block http:// followed by 10-500 letters,
> numbers,
> > underscore (\w), a dot (\.), a slash (\/) or a dash (\-) followed by
> .scr,
> > but I'm terrible with regex, especially in ASSP. Suggestions?
> >
>
> ------------------------------------------------------------------------------
> > Automate Storage Tiering Simply
> > Optimize IT performance and efficiency through flexible, powerful,
> > automated storage tiering capabilities. View this brief to learn how
> > you can reduce costs and improve performance.
> > http://p.sf.net/sfu/dell-sfdev2dev
> > _______________________________________________
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
> >
> >
> > DISCLAIMER:
> > *******************************************************
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > *******************************************************
> >
> >
> >
>
>
>
> --------------------------------------------------------------------------------
>
>
> >
>
> ------------------------------------------------------------------------------
> > Automate Storage Tiering Simply
> > Optimize IT performance and efficiency through flexible, powerful,
> > automated storage tiering capabilities. View this brief to learn how
> > you can reduce costs and improve performance.
> > http://p.sf.net/sfu/dell-sfdev2dev
>
>
>
> --------------------------------------------------------------------------------
>
>
> > _______________________________________________
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
>
>
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
