[clamav-users] Yara and base64 encoded body

Discussion:

(too old to reply)

kionez

2016-07-27 07:34:51 UTC

Hi all,

I'm using custom Yara rules to detect many kind of spam directed to my
customers, it's very effective and gives me many ways to intercept
localized messages (i.e.: spam in italian and french).

Lately those spammers are using base64 encoding in Subject: and body
part, making ineffective my rules.

I need to match some headers and the body part, because i don't want to
generate false positives.

I do some tests and i think that clamav is using this yara\pcre engine
only on the "original" message and then in every single message part
(excluding the mail headers), so if I want to run my rules on the
decoded body I have to give up on headers check and vice-versa (due the
base64 encoded body on original message).

Is there a way to decode the original message before scan, or something
which permits to run the yara engine on decoded message?

(I'm also RTFM'ing in amavisd-new, maybe with a custom filter...)

Thanks.

k.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Steve basford

2016-07-27 08:28:10 UTC

Permalink

Hi,

If it helps, could you email the YARA rule and test email offlist and I'll
have a quick look.

I seem to remember hitting that issue.

Cheers,

Steve
Web: sanesecurity.com

Post by kionez
Hi all,
I'm using custom Yara rules to detect many kind of spam directed to my
customers, it's very effective and gives me many ways to intercept
localized messages (i.e.: spam in italian and french).
Lately those spammers are using base64 encoding in Subject: and body
part, making ineffective my rules.
I need to match some headers and the body part, because i don't want to
generate false positives.
I do some tests and i think that clamav is using this yara\pcre engine
only on the "original" message and then in every single message part
(excluding the mail headers), so if I want to run my rules on the
decoded body I have to give up on headers check and vice-versa (due the
base64 encoded body on original message).
Is there a way to decode the original message before scan, or something
which permits to run the yara engine on decoded message?
(I'm also RTFM'ing in amavisd-new, maybe with a custom filter...)
Thanks.
k.
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

kionez

2016-07-27 08:55:23 UTC

Permalink

#include <Steve basford.h> // created 27/07/2016 10:28

[cut]

Post by Steve basford
I seem to remember hitting that issue.

I wrote something similar in 13/04 [1] (and here's the patch result [2])
but this request is "different".

I want (if it is possibile, obiuvsly ;) ) to run yara on entire message,
using rules which match both headers and body. With clamav patched I can
run my rules and detect unwanted message matching regexp on both header
and body part.

But lately those spammers starts to encode their body part in base64,
making my rules useless, because my regex match "decoded" strings (i.e.:
plain words).

Clamav run yara\pcre on original message (header+body encoded) and then
run rules on every decoded part but without header.

I admit that is a strange question, but maybe someone has a trick which
helps me:)

k.

1: http://lists.clamav.net/pipermail/clamav-users/2016-April/002782.html
2: https://bugzilla.clamav.net/show_bug.cgi?id=11552

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W. Haywood

2016-07-27 16:37:17 UTC

Permalink

Hi there,

... I want ... to run yara on entire message ...

Have you looked at MIMEDefang? You can do more or less whatever you
want if you can write Perl scripts.

--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

kionez

2016-07-28 07:54:22 UTC

Permalink

#include <G.W. Haywood.h> // created 27/07/2016 18:37

Hi!

Post by G.W. Haywood
Have you looked at MIMEDefang? You can do more or less whatever you
want if you can write Perl scripts.

I've looked at it, but it's not so simple to integrate on my systems
(now I'm using one VPS to do every antispam\antivirus tasks for all my
mailservers), AFAIK I have to install, configure and maintain mimedefang
on every mailserver breaking my centralized service...

but.. thanks! I will read more carefully the docs, maybe I'll find
something useful.

I'm also thinking about a small script used as amavisd-new scanner,
which decodes every base64 part and scans it through clamav, but I'm
worried about performance (because I'm not a "true" coder ;) )

I will train spamassassin's baesyan filters, but is less funny :D

Just for example, i put on pastebin a test message [1] and ruleset [2],
but now I know that is a question that is quite off-topic on this list.

1: http://pastebin.com/PJBqG15Q
2: http://pastebin.com/UaWKLe5V

Thanks for advice!

k.

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml