> I'm not clear on where your variant should be
placed.
Was already posted in the thrad.
>> Use the regex in 'bombDataRe'.
Thomas
Von: ad...@trekcom.net
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 10.09.2010 18:57
Betreff: Re: [Assp-test] Antwort: Re: Blocking the new email virus
Thanks for your work. I'm not clear on where your variant should be
placed. Could you elaborate a little for us newbie's?
Thanks,
Roger
On 9/10/2010 10:00 AM, Thomas Eckardt wrote:
> This variant is more exact (and tested !),
>
>
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:\=(?:\015?\012|\015))?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:\=(?:\015?\012|\015))?(?:(?:[\=\%]2[fF]|\&\#0?47\;?|\/)(?:\=(?:\015?\012|\015))?){2}(?:[\x20-\x7E](?:\=(?:\015?\012|\015))?){10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:\=(?:\015?\012|\015))?(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
> because the links could be very long - the html lines will be terminated
> (?:\=(?:\015?\012|\015)) at any possition of the text - like here:
>
> <html><head><style type=3D"text/css"><!-- DIV {margin:0px;}
> --></style></he=
> ad><body><div style=3D"font-family:times new roman, new york, times,
> serif;=
> font-size:12pt"><DIV><A href=3D"
> http://www.t-online.de/test/haouse/woister.=
> scr">http://www.t-online.de/test/haouse/woister.scr
> </A></DIV>=0A<DIV> =
> </DIV>=0A<DIV></DIV></div><br></body></html>
>
> Please switch off the regex optimizer by writing 'a-d-n-o-r' (without
the
> quotes) as first line in file. This regex is too complex to get
optimized.
>
> Thomas
>
>
>
> Von: "Dale" <dbr...@columbusinternational.com>
> An: "ASSP development mailing list"
<assp-test@lists.sourceforge.net>
> Datum: 10.09.2010 15:19
> Betreff: Re: [Assp-test] Blocking the new email virus
>
>
>
>
> Hi Thomas
>
> Just to confirm, in file:files/bombdatare.txt I add in one line,
>
>
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>
>
> Thanks
>
> Dale
>
>
>
>
> ----- Original Message -----
> From: "Thomas Eckardt" <thomas.ecka...@thockar.com>
> To: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
> Sent: Friday, September 10, 2010 1:13 AM
> Subject: Re: [Assp-test] Blocking the new email virus
>
>
>> To detect very bad URL's, I recommend to use 'a bit more' extended
>> regexes.
>>
>>
>
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
>> [^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?i:scr)
>>
>>
>> The last part (?i:scr) could be expanded to your needs, to detect also
>> other extensions like (?i:scr|com|bat|exe) - or you may use the default
>> 'bad attachment level 1 re'
>>
>
(?i:ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)
>> for this part of the regex
>>
>> If you only want to detect the '.scr' - change this part to :
>>
>
(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>>
>> The complete regex for the '.scr' case would be (all in one line!!!):
>>
>>
>
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}[^\x00-\x1F\x7F-\xFF]{10,}?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r))
>> This regex also detects the URL's if they are obfuscated using dec or
> hex
>> html tags.
>>
>> Use the regex in 'bombDataRe'.
>>
>> to show the regex in a more simple way:
>> (?:ht|f)tps?\:\/\/[^\x00-\x1F\x7F-\xFF]{10,}?\.scr
>> in words: (ht) or (f) followed by (tp) followed by (s or nothing)
> followed
>> by (://) followed by (at least 10 ASCII non CTL characters) followed by
>> (.) followed by (scr)
>> any single character is repesented by a term like:
>> (?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h) <--- this is the 'h'
>> which could be html-encoded hex 48 or 68 or decimal 72 or 104 or
> simply
>> the h or H
>>
>>> especially in ASSP
>> there is nothing special in ASSP regexes - simply Perl .
>>
>> Thomas
>>
>>
>>
>>
>> Von: K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum: 10.09.2010 03:28
>> Betreff: [Assp-test] Blocking the new email virus
>>
>>
>>
>>
>> Looks like there's a new email worm going around that's becoming a
>> problem.
>>
>>
*http://www.us-cert.gov/current/index.html#here_you_have_email_malware*<
>> http://www.us-cert.gov/current/index.html#here_you_have_email_malware>
>>
>
http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/
>
>>
>
http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910
>
>>
>>
>> Anyone have a regex to block these emails? It looks like they're links
>> that
>> appear to be a PDF but it's really a .scr file.
>>
>> Would:
>> http:\/\/[\w\.\/\-]{10,500}\.scr
>> work?
>>
>> I'm thinking this would block http:// followed by 10-500 letters,
> numbers,
>> underscore (\w), a dot (\.), a slash (\/) or a dash (\-) followed by
> .scr,
>> but I'm terrible with regex, especially in ASSP. Suggestions?
>>
>
------------------------------------------------------------------------------
>> Automate Storage Tiering Simply
>> Optimize IT performance and efficiency through flexible, powerful,
>> automated storage tiering capabilities. View this brief to learn how
>> you can reduce costs and improve performance.
>> http://p.sf.net/sfu/dell-sfdev2dev
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>
>
--------------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
>> Automate Storage Tiering Simply
>> Optimize IT performance and efficiency through flexible, powerful,
>> automated storage tiering capabilities. View this brief to learn how
>> you can reduce costs and improve performance.
>> http://p.sf.net/sfu/dell-sfdev2dev
>
>
--------------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
>
------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
