Hi Thomas So the entire code below goes into bombdatare.txt ?
Dale ----- Original Message ----- From: "Thomas Eckardt" <thomas.ecka...@thockar.com> To: "GrayHat" <gray...@gmx.net>; "ASSP development mailing list" <assp-test@lists.sourceforge.net> Sent: Thursday, September 16, 2010 2:55 AM Subject: Re: [Assp-test] Blocking the new email virus > Hi all, > > there was a mistake in the regex to detect all links to an executable > file. The old one was also matching on an URL like > http://www.anydomain.com - because of the '.com' at the end. > If some one want's to use it - here is the fixed version: > > #http(s)|ftp(s)://domain.tld/x.??? - where ??? is an executable file > extension > > <<<(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?(?:\=(?:\015?\012|\015))?(?:[\=\%]3[aA]|\&\#0?58\;?|\:)(?:\=(?:\015?\012|\015))?(?:(?:[\=\%]2[fF]|\&\#0?47\;?|\/)(?:\=(?:\015?\012|\015))?){2}(?:[\x20-\x7E](?:\=(?:\015?\012|\015))?){4,}?(?i:[\=\%](?i:2f)|\&\#(?:0?47)\;?|\/)(?:\=(?:\015?\012|\015))?(?:[\x20-\x7E](?:\=(?:\015?\012|\015))?)+?(?:[\=\%]2[eE]|\&\#0?46\;?|\.)(?:\=(?:\015?\012|\015))?(?:(?:(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%][46]3|\&\#0?(?:67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r)|(?:(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:44|64)|\&\#(?:0?68|100)! \;? > |d)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:44|64)|\&\#(?:0?68|100)\;?|d)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:58|78)|\&\#(?:0?88|120)\;?|x)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?! :\ > =(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:44|64)|\&\#(?:0?68|100)\;?|d)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4f|6f)|\&\#(?:0?79|111)\;?|o)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4c|6c)|\&\#(?:0?76|108)\;?|l)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:52|72)|\&\#(?:0?82|114)\;?|r)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015)! )? > )|(?:(?i:[\=\%](?i:44|64)|\&\#(?:0?68|100)\;?|d)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:58|78)|\&\#(?:0?88|120)\;?|x)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:58|78)|\&\#(?:0?88|120)\;?|x)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4c|6c)|\&\#(?:0?76|108)\;?|l)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?(?i:[\=\! %] > (?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:49|69)|\&\#(?:0?73|105)\;?|i)(?:\=(?:\015?\012|\015))?(?i:[\= > \%](?i:4e|6e)|\&\#(?:0?78|110)\;?|n)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:46|66)|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:49|69)|\&\#(?:0?73|105)\;?|i)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4e|6e)|\&\#(?:0?78|110)\;?|n)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:49|69)|\&\#(?:0?73|105)\;?|i)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4a|6a)|\&\#(?:0?74|106)\;?|j)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4a|6a)|\&\#(?:0?74|106)\;?|j)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4c|6c)|\&\#(?:0?76|108)\;?|l)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4e|! 6e) > |\&\#(?:0?78|110)\;?|n)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4b|6b)|\&\#(?:0?75|107)\;?|k)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:49|69)|\&\#(?:0?73|105)\;?|i)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4d|6d)|\&\#(?:0?7! 7| > 109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:4e|6e)|\&\#(?:0?78|110)\;?|n)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:44|64)|\&\#(?:0?68|100)\;?|d)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:49|69)|\&\#(?:0?73|105)\;?|i)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:46|66)|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:52|72)|\&\#(?:0?82|114)\;?|r)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:46|66)|\&\#(?:0?70|102)\;?|f)(?:\=(?! :\ > 015?\012|\015))?)|(?:(?i:[\=\%](?i:52|72)|\&\#(?:0?82|114)\;?|r)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:47|67)|\&\#(?:0?71|103)\;?|g)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:46|66)|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:54|74)|\&\#(?:0?84|116)\;?|t)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\0! 15 > ))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:56|76)|\&\#(?:0?86|118)\;?|v)(?:\=(?:\015?\012|\0 > 15))?(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:56|76)|\&\#(?:0?86|118)\;?|v)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:45|65)|\&\#(?:0?69|101)\;?|e)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:56|76)|\&\#(?:0?86|118)\;?|v)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:42|62)|\&\#(?:0?66|0?98)\;?|b)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:57|77)|\&\#(?:0?87|119)\;?|w)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:4d|6d)|\&\#(?:0?77|109)\;?|m)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:57|77)|\&\#(?:0?87|119)\;?|w)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:43|63)|\&\#(?:0?67|99)\;?|c)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:57|77)|\&\#(?:0?87|119)\;?|w)(?:\=(?:\015?\012|\015))?(?i! :[\ > =\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:46|66)|\&\#(?:0?70|102)\;?|f)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:57|77)|\&\#(?:0?87|119)\;?|w)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:53|73)|\&\#(?:0?83|115)\;?|s)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:48|68)|\&\#(?:0?72|104)\;?|h)(?:\=(?:\015?\012|\015))?)|(?:(?i:[\=\%](?i:5a|7a)|\&\#(?:0?90|122)\;?|z)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:41|61)|\&\#(?:0?65|0?97)\;?|a)(?:\=(?:\015?\012|\015))?(?i:[\=\%](?i:50|70)|\&\#(?:0?80|112)\;?|p)(?:\=(?:\015?\012|\015))?)))>>> > > > Thomas > > > > Von: "GrayHat" <gray...@gmx.net> > An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> > Datum: 14.09.2010 08:47 > Betreff: Re: [Assp-test] Blocking the new email virus > > > > > >>> does it need the a-d-n-o-r too ? >> >> yes - if the complete file should not be optimized >> no - if the <<< >>> is used > > Uh ok, thanks > > So, just to sum it all up > > putting "a-d-n-o-r" at the top of the regexp file will > tell ASSP not to optimize the WHOLE file, while > enclosing a given regexp into <<< >>> will tell > ASSP not to optimize THAT single regexp > > thanks > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > -------------------------------------------------------------------------------- > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev -------------------------------------------------------------------------------- > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
