[clamav-users] Blocking malicious URLs in a local database

Dave McMurtrie dave64 at andrew.cmu.edu
Tue Mar 31 10:19:18 EDT 2015


Well that is certainly simple, and seems to just work.  Thanks for the info!

________________________________________
From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of TR Shaw [tshaw at oitc.com]
Sent: Monday, March 30, 2015 3:42 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Blocking malicious URLs in a local database

your.local.ndb file:
        "signame.1:4:*:" . bin2hex("http://bad.domain.com/path") . "\n";
        "signame.2:5:*:" . bin2hex("http://bad.domain.com/path") . "\n";

On Mar 30, 2015, at 2:34 PM, Dave McMurtrie <dave64 at andrew.cmu.edu> wrote:

> Hi,
>
> Hopefully someone here can steer me in the right direction.  I'm looking for a simple way to be able to create a local signature such that when we become aware of a phishing message targeting our users that contains a malicious URL, I can quickly respond by configuring ClamAV to identify them so we can block them.
>
> After reading the phishsigs_howto, it looks like adding entries to a local.gdb file would accomplish what I want, but thus far that isn't working for me.  I'm fairly certain that I have the format correct because clamdscan is properly detecting messages with URLs that I put in my local.gdb file.  However, clamd is not detecting the URLs when our milter code connects to the clamd socket.  The difference seems to be whether it's in the context of scanning a file or a mail message, since debug output shows me that it's taking a different code path.  I posted to the list earlier with more specific questions about this, but never did track it down.
>
> My questions:
>
> 1) Is the local.gdb file even intended for this purpose?
>
> 2) Is there a better way to accomplish this?
>
> Thanks!
>
> Dave
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list