git-svn: trunk@3798
Tomasz Kojm authored on 2008/04/19 02:14:20... | ... |
@@ -1,3 +1,12 @@ |
1 |
+Fri Apr 18 18:33:59 CEST 2008 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav: DLP: dconf support; pass flags through scan options |
|
4 |
+ * clamd: new options: StructuredDataDetection, StructuredMinCreditCardCount, |
|
5 |
+ StructuredMinSSNCount, StructuredSSNFormatNormal, |
|
6 |
+ StructuredSSNFormatStripped |
|
7 |
+ * etc/clamd.conf, docs/man/clamd.conf.5.in: update |
|
8 |
+ * TODO: add DLP fine-tuning options to clamscan |
|
9 |
+ |
|
1 | 10 |
Fri Apr 18 13:55:41 EEST 2008 (edwin) |
2 | 11 |
------------------------------------- |
3 | 12 |
* libclamav/dconf.h: fix flag code assignment |
... | ... |
@@ -438,6 +438,22 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
438 | 438 |
} |
439 | 439 |
} |
440 | 440 |
|
441 |
+ if(cfgopt(copt, "StructuredDataDetection")->enabled) { |
|
442 |
+ options |= CL_SCAN_STRUCTURED; |
|
443 |
+ |
|
444 |
+ limits.min_cc_count = cfgopt(copt, "StructuredMinCreditCardCount")->numarg; |
|
445 |
+ logg("Structured: Minimum Credit Card Number Count set to %u\n", limits.min_cc_count); |
|
446 |
+ |
|
447 |
+ limits.min_ssn_count = cfgopt(copt, "StructuredMinSSNCount")->numarg; |
|
448 |
+ logg("Structured: Minimum Social Security Number Count set to %u\n", limits.min_ssn_count); |
|
449 |
+ |
|
450 |
+ if(cfgopt(copt, "StructuredSSNFormatNormal")->enabled) |
|
451 |
+ options |= CL_SCAN_STRUCTURED_SSN_NORMAL; |
|
452 |
+ |
|
453 |
+ if(cfgopt(copt, "StructuredSSNFormatStripped")->enabled) |
|
454 |
+ options |= CL_SCAN_STRUCTURED_SSN_STRIPPED; |
|
455 |
+ } |
|
456 |
+ |
|
441 | 457 |
selfchk = cfgopt(copt, "SelfCheck")->numarg; |
442 | 458 |
if(!selfchk) { |
443 | 459 |
logg("Self checking disabled.\n"); |
... | ... |
@@ -310,9 +310,10 @@ int scanmanager(const struct optstruct *opt) |
310 | 310 |
|
311 | 311 |
if(opt_check(opt, "detect-structured")) { |
312 | 312 |
options |= CL_SCAN_STRUCTURED; |
313 |
+ options |= CL_SCAN_STRUCTURED_SSN_NORMAL; |
|
314 |
+ options |= CL_SCAN_STRUCTURED_SSN_STRIPPED; |
|
313 | 315 |
limits.min_cc_count = 1; |
314 | 316 |
limits.min_ssn_count = 1; |
315 |
- limits.structured_flags = CL_STRUCTURED_CONF_SSN_BOTH; |
|
316 | 317 |
} else |
317 | 318 |
options &= ~CL_SCAN_STRUCTURED; |
318 | 319 |
|
... | ... |
@@ -263,6 +263,31 @@ Always block cloaked URLs, even if URL isn't in database. This can lead to false |
263 | 263 |
.br |
264 | 264 |
Default: no |
265 | 265 |
.TP |
266 |
+\fBStructuredDataDetection BOOL\fR |
|
267 |
+Enable the DLP module. |
|
268 |
+.br |
|
269 |
+Default: no |
|
270 |
+.TP |
|
271 |
+\fBStructuredMinCreditCardCount NUMBER\fR |
|
272 |
+This option sets the lowest number of Credit Card numbers found in a file to generate a detect. |
|
273 |
+.br |
|
274 |
+Default: 1 |
|
275 |
+.TP |
|
276 |
+\fBStructuredMinSSNCount NUMBER\fR |
|
277 |
+This option sets the lowest number of Social Security Numbers found in a file to generate a detect. |
|
278 |
+.br |
|
279 |
+Default: 1 |
|
280 |
+.TP |
|
281 |
+\fBStructuredSSNFormatNormal BOOL\fR |
|
282 |
+With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz. |
|
283 |
+.br |
|
284 |
+Default: Yes |
|
285 |
+.TP |
|
286 |
+\fBStructuredSSNFormatStripped BOOL\fR |
|
287 |
+With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz. |
|
288 |
+.br |
|
289 |
+Default: Yes |
|
290 |
+.TP |
|
266 | 291 |
\fBScanArchive BOOL\fR |
267 | 292 |
Enable archive scanning. |
268 | 293 |
.br |
... | ... |
@@ -247,6 +247,35 @@ LocalSocket /tmp/clamd.socket |
247 | 247 |
|
248 | 248 |
|
249 | 249 |
## |
250 |
+## Data Loss Prevention (DLP) |
|
251 |
+## |
|
252 |
+ |
|
253 |
+# Enable the DLP module |
|
254 |
+# Default: No |
|
255 |
+#StructuredDataDetection yes |
|
256 |
+ |
|
257 |
+# This option sets the lowest number of Credit Card numbers found in a file |
|
258 |
+# to generate a detect. |
|
259 |
+# Default: 1 |
|
260 |
+#StructuredMinCreditCardCount 5 |
|
261 |
+ |
|
262 |
+# This option sets the lowest number of Social Security Numbers found |
|
263 |
+# in a file to generate a detect. |
|
264 |
+# Default: 1 |
|
265 |
+#StructuredMinSSNCount 5 |
|
266 |
+ |
|
267 |
+# With this option enabled the DLP module will search for valid |
|
268 |
+# SSNs formatted as xxx-yy-zzzz |
|
269 |
+# Default: yes |
|
270 |
+#StructuredSSNFormatNormal yes |
|
271 |
+ |
|
272 |
+# With this option enabled the DLP module will search for valid |
|
273 |
+# SSNs formatted as xxxyyzzzz |
|
274 |
+# Default: yes |
|
275 |
+#StructuredSSNFormatStripped yes |
|
276 |
+ |
|
277 |
+ |
|
278 |
+## |
|
250 | 279 |
## HTML |
251 | 280 |
## |
252 | 281 |
|
... | ... |
@@ -77,23 +77,24 @@ extern "C" |
77 | 77 |
#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS) |
78 | 78 |
|
79 | 79 |
/* scan options */ |
80 |
-#define CL_SCAN_RAW 0x0 |
|
81 |
-#define CL_SCAN_ARCHIVE 0x1 |
|
82 |
-#define CL_SCAN_MAIL 0x2 |
|
83 |
-#define CL_SCAN_OLE2 0x4 |
|
84 |
-#define CL_SCAN_BLOCKENCRYPTED 0x8 |
|
85 |
-#define CL_SCAN_HTML 0x10 |
|
86 |
-#define CL_SCAN_PE 0x20 |
|
87 |
-#define CL_SCAN_BLOCKBROKEN 0x40 |
|
88 |
-#define CL_SCAN_MAILURL 0x80 |
|
89 |
-#define CL_SCAN_BLOCKMAX 0x100 /* ignored */ |
|
90 |
-#define CL_SCAN_ALGORITHMIC 0x200 |
|
91 |
-#define CL_SCAN_PHISHING_BLOCKSSL 0x800 /* ssl mismatches, not ssl by itself*/ |
|
92 |
-#define CL_SCAN_PHISHING_BLOCKCLOAK 0x1000 |
|
93 |
-#define CL_SCAN_ELF 0x2000 |
|
94 |
-#define CL_SCAN_PDF 0x4000 |
|
95 |
-#define CL_SCAN_STRUCTURED 0x8000 |
|
96 |
- |
|
80 |
+#define CL_SCAN_RAW 0x0 |
|
81 |
+#define CL_SCAN_ARCHIVE 0x1 |
|
82 |
+#define CL_SCAN_MAIL 0x2 |
|
83 |
+#define CL_SCAN_OLE2 0x4 |
|
84 |
+#define CL_SCAN_BLOCKENCRYPTED 0x8 |
|
85 |
+#define CL_SCAN_HTML 0x10 |
|
86 |
+#define CL_SCAN_PE 0x20 |
|
87 |
+#define CL_SCAN_BLOCKBROKEN 0x40 |
|
88 |
+#define CL_SCAN_MAILURL 0x80 |
|
89 |
+#define CL_SCAN_BLOCKMAX 0x100 /* ignored */ |
|
90 |
+#define CL_SCAN_ALGORITHMIC 0x200 |
|
91 |
+#define CL_SCAN_PHISHING_BLOCKSSL 0x800 /* ssl mismatches, not ssl by itself*/ |
|
92 |
+#define CL_SCAN_PHISHING_BLOCKCLOAK 0x1000 |
|
93 |
+#define CL_SCAN_ELF 0x2000 |
|
94 |
+#define CL_SCAN_PDF 0x4000 |
|
95 |
+#define CL_SCAN_STRUCTURED 0x8000 |
|
96 |
+#define CL_SCAN_STRUCTURED_SSN_NORMAL 0x10000 |
|
97 |
+#define CL_SCAN_STRUCTURED_SSN_STRIPPED 0x20000 |
|
97 | 98 |
|
98 | 99 |
/* recommended scan settings */ |
99 | 100 |
#define CL_SCAN_STDOPT (CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC | CL_SCAN_ELF) |
... | ... |
@@ -145,11 +146,6 @@ struct cl_engine { |
145 | 145 |
void *ignored; |
146 | 146 |
}; |
147 | 147 |
|
148 |
-/* Structured data flags */ |
|
149 |
-#define CL_STRUCTURED_CONF_SSN_BOTH 0x00 |
|
150 |
-#define CL_STRUCTURED_CONF_SSN_NORMAL 0x01 |
|
151 |
-#define CL_STRUCTURED_CONF_SSN_STRIPPED 0x02 |
|
152 |
- |
|
153 | 148 |
struct cl_limits { |
154 | 149 |
unsigned long int maxscansize; /* during the scanning of archives this size |
155 | 150 |
* will never be exceeded |
... | ... |
@@ -167,9 +163,8 @@ struct cl_limits { |
167 | 167 |
* number of occurences of an CC# or SSN before the system will |
168 | 168 |
* generate a notification. |
169 | 169 |
*/ |
170 |
- unsigned long min_cc_count; |
|
171 |
- unsigned long min_ssn_count; |
|
172 |
- unsigned long structured_flags; |
|
170 |
+ unsigned int min_cc_count; |
|
171 |
+ unsigned int min_ssn_count; |
|
173 | 172 |
}; |
174 | 173 |
|
175 | 174 |
struct cl_stat { |
... | ... |
@@ -99,6 +99,7 @@ static struct dconf_module modules[] = { |
99 | 99 |
{ "OTHER", "RIFF", OTHER_CONF_RIFF, 1 }, |
100 | 100 |
{ "OTHER", "JPEG", OTHER_CONF_JPEG, 1 }, |
101 | 101 |
{ "OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1 }, |
102 |
+ { "OTHER", "DLP", OTHER_CONF_DLP, 1 }, |
|
102 | 103 |
|
103 | 104 |
{ "PHISHING", "ENGINE", PHISHING_CONF_ENGINE, 1 }, |
104 | 105 |
{ "PHISHING", "ENTCONV", PHISHING_CONF_ENTCONV, 1 }, |
... | ... |
@@ -1514,36 +1514,38 @@ static int cli_scan_structured(int desc, cli_ctx *ctx) |
1514 | 1514 |
else |
1515 | 1515 |
ccfunc = dlp_get_cc_count; |
1516 | 1516 |
|
1517 |
- ssnfunc = dlp_get_ssn_count;; |
|
1517 |
+ switch((ctx->options & CL_SCAN_STRUCTURED_SSN_NORMAL) | (ctx->options & CL_SCAN_STRUCTURED_SSN_STRIPPED)) { |
|
1518 | 1518 |
|
1519 |
- switch(lim->structured_flags) { |
|
1520 |
- |
|
1521 |
- case CL_STRUCTURED_CONF_SSN_BOTH: |
|
1519 |
+ case (CL_SCAN_STRUCTURED_SSN_NORMAL | CL_SCAN_STRUCTURED_SSN_STRIPPED): |
|
1522 | 1520 |
if(lim->min_ssn_count == 1) |
1523 | 1521 |
ssnfunc = dlp_has_ssn; |
1524 | 1522 |
else |
1525 | 1523 |
ssnfunc = dlp_get_ssn_count; |
1526 | 1524 |
break; |
1527 | 1525 |
|
1528 |
- case CL_STRUCTURED_CONF_SSN_NORMAL: |
|
1526 |
+ case CL_SCAN_STRUCTURED_SSN_NORMAL: |
|
1529 | 1527 |
if(lim->min_ssn_count == 1) |
1530 | 1528 |
ssnfunc = dlp_has_normal_ssn; |
1531 | 1529 |
else |
1532 | 1530 |
ssnfunc = dlp_get_normal_ssn_count; |
1533 | 1531 |
break; |
1534 | 1532 |
|
1535 |
- case CL_STRUCTURED_CONF_SSN_STRIPPED: |
|
1533 |
+ case CL_SCAN_STRUCTURED_SSN_STRIPPED: |
|
1536 | 1534 |
if(lim->min_ssn_count == 1) |
1537 | 1535 |
ssnfunc = dlp_has_stripped_ssn; |
1538 | 1536 |
else |
1539 | 1537 |
ssnfunc = dlp_get_stripped_ssn_count; |
1540 | 1538 |
break; |
1539 |
+ |
|
1540 |
+ default: |
|
1541 |
+ ssnfunc = NULL; |
|
1541 | 1542 |
} |
1542 | 1543 |
|
1543 |
- while(((result = cli_readn(desc, buf, 8191)) > 0) && !done) { |
|
1544 |
+ while(!done && ((result = cli_readn(desc, buf, 8191)) > 0)) { |
|
1544 | 1545 |
if((cc_count += ccfunc((const unsigned char *)buf, result)) >= lim->min_cc_count) |
1545 | 1546 |
done = 1; |
1546 |
- if((ssn_count += ssnfunc((const unsigned char *)buf, result)) >= lim->min_ssn_count) |
|
1547 |
+ |
|
1548 |
+ if(ssnfunc && ((ssn_count += ssnfunc((const unsigned char *)buf, result)) >= lim->min_ssn_count)) |
|
1547 | 1549 |
done = 1; |
1548 | 1550 |
} |
1549 | 1551 |
|
... | ... |
@@ -1990,7 +1992,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx) |
1990 | 1990 |
break; |
1991 | 1991 |
|
1992 | 1992 |
case CL_TYPE_TEXT_ASCII: |
1993 |
- if(SCAN_STRUCTURED) |
|
1993 |
+ if(SCAN_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP)) |
|
1994 | 1994 |
/* TODO: consider calling this from cli_scanscript() for |
1995 | 1995 |
* a normalised text |
1996 | 1996 |
*/ |
... | ... |
@@ -55,6 +55,11 @@ struct cfgoption cfg_options[] = { |
55 | 55 |
{"PhishingRestrictedScan", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
56 | 56 |
/* end of FP prone options */ |
57 | 57 |
{"DetectPUA", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
58 |
+ {"StructuredDataDetection", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
|
59 |
+ {"StructuredMinCreditCardCount", OPT_NUM, 1, NULL, 0, OPT_CLAMD}, |
|
60 |
+ {"StructuredMinSSNCount", OPT_NUM, 1, NULL, 0, OPT_CLAMD}, |
|
61 |
+ {"StructuredSSNFormatNormal", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
|
62 |
+ {"StructuredSSNFormatStripped", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
|
58 | 63 |
{"AlgorithmicDetection", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
59 | 64 |
{"ScanHTML", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
60 | 65 |
{"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |