Rule Anti Malware [howto]
Posted: 01 Apr 2016 13:13
http://www.malwaredomains.com mantains an updated list of domains with security problem
I found useful to test these entries in incoming messages body
Copy these lines in a script, it download zip file, unzip it and put into a cf file only when data changes
put in the cron daily or hourly
A line like this check every 2 hours
30 */2 * * * /batch/malwaredomains.sh > /dev/null
# Create rule that match malware domains from a list and update it
# Put this in cron, this script check changes
# Destination alert email
dest=yourmail@yourdomain.it
# /tmp positioning
cd /tmp
# Previuos files remove
rm -f /tmp/justdomains.zip
rm -f /tmp/justdomains.prev
rm -f /tmp/justdomains.rule
rm -f /tmp/justdomains2
rm -f /tmp/justdomains3
rm -f /tmp/justdomains4
rm -f /tmp/justdomains5
# Rename old justdomains or create it empty if not found
if [ -f /tmp/justdomains ]
then
mv /tmp/justdomains /tmp/justdomains.prev
else
echo "first time file" > /tmp/justdomains.prev
fi
# Get new zip
wget http://malware-domains.com/files/justdomains.zip -P /tmp
# Unzip it
unzip /tmp/justdomains.zip
# Compare new file with prev
if [ `diff /tmp/justdomains /tmp/justdomains.prev | wc -m` -eq 0 ]
then
#exit
echo -e "MalwareDomains not updated due to identical pattern file at check time" | mail -r do-not-reply@gruppocomet.it -s "EFA - Antispam Mailserver Gateway" $dest
else
# Remove blanks from justdomains
sed '/^$/d' /tmp/justdomains > /tmp/justdomains2
# Remove lines 6 or less chars (too small domains problems in search)
sed -r '/^.{,6}$/d' /tmp/justdomains2 > /tmp/justdomains3
# mask dots
sed 's/\./\\./g' /tmp/justdomains3 > /tmp/justdomains4
# Create rule file into justdomains.rule
echo "body MALWAREDOMAINS_BODY /" > /tmp/justdomains5
cat /tmp/justdomains4 | paste -sd'~' | sed -e 's/~/|/g' >> /tmp/justdomains5
echo "/i" >> /tmp/justdomains5
cat /tmp/justdomains5 | paste -sd'~' | sed -e 's/~//g' > /tmp/justdomains.rule
echo "describe MALWAREDOMAINS_BODY Body contains Malware Domain (http://www.malwaredomains.com)" >> /tmp/justdomains.rule
echo "score MALWAREDOMAINS_BODY 1.85 " >> /tmp/justdomains.rule
rm -f /tmp/justdomains2
rm -f /tmp/justdomains3
rm -f /tmp/justdomains4
rm -f /tmp/justdomains5
# Copy into SA folder and chmod
cp -f /tmp/justdomains.rule /etc/mail/spamassassin/comet.malwaredomains.cf
chmod 777 /etc/mail/spamassassin/comet.malwaredomains.cf
# Restart MailScanner
service MailScanner restart
echo -e "MalwareDomains rules updated" | mail -r do-not-reply@gruppocomet.it -s "EFA - Antispam Mailserver Gateway" $dest
fi
I found useful to test these entries in incoming messages body
Copy these lines in a script, it download zip file, unzip it and put into a cf file only when data changes
put in the cron daily or hourly
A line like this check every 2 hours
30 */2 * * * /batch/malwaredomains.sh > /dev/null
# Create rule that match malware domains from a list and update it
# Put this in cron, this script check changes
# Destination alert email
dest=yourmail@yourdomain.it
# /tmp positioning
cd /tmp
# Previuos files remove
rm -f /tmp/justdomains.zip
rm -f /tmp/justdomains.prev
rm -f /tmp/justdomains.rule
rm -f /tmp/justdomains2
rm -f /tmp/justdomains3
rm -f /tmp/justdomains4
rm -f /tmp/justdomains5
# Rename old justdomains or create it empty if not found
if [ -f /tmp/justdomains ]
then
mv /tmp/justdomains /tmp/justdomains.prev
else
echo "first time file" > /tmp/justdomains.prev
fi
# Get new zip
wget http://malware-domains.com/files/justdomains.zip -P /tmp
# Unzip it
unzip /tmp/justdomains.zip
# Compare new file with prev
if [ `diff /tmp/justdomains /tmp/justdomains.prev | wc -m` -eq 0 ]
then
#exit
echo -e "MalwareDomains not updated due to identical pattern file at check time" | mail -r do-not-reply@gruppocomet.it -s "EFA - Antispam Mailserver Gateway" $dest
else
# Remove blanks from justdomains
sed '/^$/d' /tmp/justdomains > /tmp/justdomains2
# Remove lines 6 or less chars (too small domains problems in search)
sed -r '/^.{,6}$/d' /tmp/justdomains2 > /tmp/justdomains3
# mask dots
sed 's/\./\\./g' /tmp/justdomains3 > /tmp/justdomains4
# Create rule file into justdomains.rule
echo "body MALWAREDOMAINS_BODY /" > /tmp/justdomains5
cat /tmp/justdomains4 | paste -sd'~' | sed -e 's/~/|/g' >> /tmp/justdomains5
echo "/i" >> /tmp/justdomains5
cat /tmp/justdomains5 | paste -sd'~' | sed -e 's/~//g' > /tmp/justdomains.rule
echo "describe MALWAREDOMAINS_BODY Body contains Malware Domain (http://www.malwaredomains.com)" >> /tmp/justdomains.rule
echo "score MALWAREDOMAINS_BODY 1.85 " >> /tmp/justdomains.rule
rm -f /tmp/justdomains2
rm -f /tmp/justdomains3
rm -f /tmp/justdomains4
rm -f /tmp/justdomains5
# Copy into SA folder and chmod
cp -f /tmp/justdomains.rule /etc/mail/spamassassin/comet.malwaredomains.cf
chmod 777 /etc/mail/spamassassin/comet.malwaredomains.cf
# Restart MailScanner
service MailScanner restart
echo -e "MalwareDomains rules updated" | mail -r do-not-reply@gruppocomet.it -s "EFA - Antispam Mailserver Gateway" $dest
fi