Re: [Exim] Generic VBS script detection

Top Page
This message is part of the following thread:
M-+--+++\the complete thread tree sorted by date
M.M..MMMMMJulian King at <-
M\M\M..MMIan Edwards at ->
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: Exim
Subject: Re: [Exim] Generic VBS script detection
Peter, thanks for your contribution, but I'm having a hard timewith the
brackets the way it is presented. I think it is supposed to read as
follows, but please clarify for me!: 

if ( mpmixed and c-t name= ) or
   ( name=... ) or
   ( begin ... )
    dostuff
endif


Ta, Jethro/Culf


On Thu, 4 May 2000, Peter Radcliffe wrote:

> Nigel Metheringham <Nigel.Metheringham@???> probably said:
> > I am not a filter expert :-(, and have not tested this, but how about
> > something like this as a starting point:-
> > 
> >   if ($message_body matches "^\\s+name=[A-Za-z0-9_-.]+.[vV][bB][sS]" or
> >       $message_body matches "^begin \\d\\d\\d .+\\.[vV][bB][sS]")
> >     ... then/action/endif

>
> I'm using, so far;
> 
> if (($header_content-type MATCHES "(?i)multipart/mixed" and 
>     ($message_body MATCHES "(?i)content-type: .*(file)?name=\"?[A-Za-z0-9.-]+\\\\.vbs") or
>      $message_body MATCHES "(?i)\\\\s+(file)?name=\"?[A-Za-z0-9.-]+\\\\.vbs") or
>     $message_body MATCHES "(?i)begin \\\\d\\\\d\\\\d .+\\\\.vbs") then
>   freeze text "Contains a possible .vbs script"
> endif

>
> the [_-.] was failing for me, ordering problem. The range I have need
> to be expanded to valid characters, I was actually thinking about
> using not-white-space.
>
> I had to add (file)? to the name section, and used (?i) to get it
> caseless to avoid all the [vV] stuff.
>
> Do people think matching on begin... is worth doing if the content-type
> is not multipart/mixed ? What other content types are dangerous ?
>
> > [NB for those following... matches does regexp comparisons... but there
> > is a problem with quoting - hence the \\ in there.
>
> I found I had to use \\\\ to get a \ in the resultant match.
>
> > Is a ^ [beginning of line anchor] OK to use here, or does it have to
> > match a previous line end character instead?]
>
> I don't think ^ works in $message_body, since it's one large string ...
> I need to go fetch my regexp book for a good answer to that one.
>
> Any further advance on this from anyone else ?
>
> P.
> 
> -- 
> pir                  pir@???                    pir@???

>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
> 


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks                                   Computing Officer, IT Services
Webmaster, Cachemaster, Listmaster;      University Of Strathclyde, Glasgow, UK
                                                      jethro.binks@???




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] mutation .vbs[Exim] Unusual need->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)