Axb <axb.li...@gmail.com> writes: > On 09/02/15 09:51, Olivier Nicole wrote: >> Hi, >> >> I am looking at malware patrol, but they offer a list of over 300,000 >> rules, that is way too big. >> >> So I was considering using it in a URIDNSBL type of way, but including >> the full URL, not only the host part. It should be able to accept things >> like foo.example.com:81/directory/foo?something >> >> Does that exist already? > > that doesn't exist, publicly... > > There are many reasons why running this isn't trivial either. > > - tracking IDs/unique identifiers in URLs > - *can* cause massive scanning overhead > - depending on special cases, DNS spec limitations. > etc, etc.. > > What problem are you trying to solve which cannot be solved with "known" > methods?
Malware Patrol (malwarepatrol.net) has a file with over 100,000 rules of the form: body MBL_2931645 /files\.oqayiq\.biz\/javasoft\/different\//i describe MBL_2931645 MBL: https://www.malwarepatrol.net/cgi/search.pl?id=2931645 score MBL_2931645 3.5 This causes spamassassin --lint to never terminate (well, I killed it afetr one hour). One way to tackle this would be to rewrite the rules in some sort of URI DNSBL (that is simple enough to do). And I will run a local DNS. But contrary to the standard plugin URIDNSBL, the URL include a machine name and some directory/file name and maybe a port number, it is not limited to the domain name. Of course, URL would have to be recoded in a way supported by DNS, but it is not difficult to do (and if it has been done already, i would be glad to use any existing coding, if someone has done it already, why bothering to do it again). The one thing that could be a problem is that the directory/file name part would become case unsensitive because of DNS, but I can live with that. So the above example would be added in my DNS zone dnsbl.my.place as something like: files.2eoqayiq.2ebiz.2fjavasoft.2fdifferent IN A 127.0.0.2 By on the SA side, I ned to be able to grab and test "files.oqayiq.biz/javasoft/fdifferent" and not only "oqayiq.biz" as done by URIDNSBL Best regards, Olivier --
