git-svn: trunk@4153
Tomasz Kojm authored on 2008/08/30 08:33:12... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Sat Aug 30 01:29:51 CEST 2008 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/dlp.c: limit number of false positive alerts |
|
4 |
+ * clamd, clamscan: don't scan for stripped SSNs by default |
|
5 |
+ |
|
1 | 6 |
Fri Aug 29 12:29:32 CEST 2008 (tk) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav/dlp.c: credit card detection fixes |
... | ... |
@@ -576,7 +576,7 @@ int scanmanager(const struct optstruct *opt) |
576 | 576 |
return 40; |
577 | 577 |
} |
578 | 578 |
} else { |
579 |
- options |= (CL_SCAN_STRUCTURED_SSN_NORMAL | CL_SCAN_STRUCTURED_SSN_STRIPPED); |
|
579 |
+ options |= CL_SCAN_STRUCTURED_SSN_NORMAL; |
|
580 | 580 |
} |
581 | 581 |
|
582 | 582 |
if(opt_check(opt, "structured-ssn-count")) |
... | ... |
@@ -311,7 +311,7 @@ Default: Yes |
311 | 311 |
\fBStructuredSSNFormatStripped BOOL\fR |
312 | 312 |
With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz. |
313 | 313 |
.br |
314 |
-Default: Yes |
|
314 |
+Default: No |
|
315 | 315 |
.TP |
316 | 316 |
\fBScanArchive BOOL\fR |
317 | 317 |
Enable archive scanning. |
... | ... |
@@ -82,7 +82,7 @@ Only include a specific PUA category. This option can be used multiple times. |
82 | 82 |
Enable the DLP (Data Loss Prevention) module which provides detection of SSN and Credit Card numbers. |
83 | 83 |
.TP |
84 | 84 |
\fB\-\-structured\-ssn\-format=X\fR |
85 |
-X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: default: search for both formats. |
|
85 |
+X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0. |
|
86 | 86 |
.TP |
87 | 87 |
\fB\-\-structured\-ssn\-count=#n\fR |
88 | 88 |
This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3). |
... | ... |
@@ -31,6 +31,7 @@ |
31 | 31 |
#include <stdlib.h> |
32 | 32 |
#include "dlp.h" |
33 | 33 |
#include "others.h" |
34 |
+#include "str.h" |
|
34 | 35 |
|
35 | 36 |
/* detection mode macros for the contains_* functions */ |
36 | 37 |
#define DETECT_MODE_DETECT 0 |
... | ... |
@@ -158,6 +159,8 @@ int dlp_is_valid_cc(const unsigned char *buffer, int length) |
158 | 158 |
sum += val; |
159 | 159 |
} |
160 | 160 |
cc_digits[digits] = 0; |
161 |
+ if(i < length && isdigit(buffer[i])) |
|
162 |
+ return 0; |
|
161 | 163 |
|
162 | 164 |
if((sum % 10 != 0) || (digits < 13)) |
163 | 165 |
return 0; |
... | ... |
@@ -245,7 +248,7 @@ static int contains_cc(const unsigned char *buffer, int length, int detmode) |
245 | 245 |
{ |
246 | 246 |
if(isdigit(*idx)) |
247 | 247 |
{ |
248 |
- if(dlp_is_valid_cc(idx, length - (idx - buffer)) == 1) |
|
248 |
+ if((idx == buffer || !isdigit(idx[-1])) && dlp_is_valid_cc(idx, length - (idx - buffer)) == 1) |
|
249 | 249 |
{ |
250 | 250 |
if(detmode == DETECT_MODE_DETECT) |
251 | 251 |
return 1; |
... | ... |
@@ -282,6 +285,7 @@ int dlp_is_valid_ssn(const unsigned char *buffer, int length, int format) |
282 | 282 |
int serial_number; |
283 | 283 |
int minlength; |
284 | 284 |
int retval = 1; |
285 |
+ char numbuf[12]; |
|
285 | 286 |
|
286 | 287 |
if(buffer == NULL) |
287 | 288 |
return 0; |
... | ... |
@@ -290,12 +294,21 @@ int dlp_is_valid_ssn(const unsigned char *buffer, int length, int format) |
290 | 290 |
|
291 | 291 |
if(length < minlength) |
292 | 292 |
return 0; |
293 |
+ |
|
294 |
+ if((length > minlength) && isdigit(buffer[minlength])) |
|
295 |
+ return 0; |
|
293 | 296 |
|
297 |
+ strncpy(numbuf, buffer, minlength); |
|
298 |
+ numbuf[minlength] = 0; |
|
299 |
+ |
|
294 | 300 |
/* sscanf parses and (basically) validates the string for us */ |
295 | 301 |
switch(format) |
296 | 302 |
{ |
297 | 303 |
case SSN_FORMAT_HYPHENS: |
298 |
- if(sscanf((const char *) buffer, |
|
304 |
+ if(numbuf[3] != '-' || numbuf[6] != '-') |
|
305 |
+ return 0; |
|
306 |
+ |
|
307 |
+ if(sscanf((const char *) numbuf, |
|
299 | 308 |
"%3d-%2d-%4d", |
300 | 309 |
&area_number, |
301 | 310 |
&group_number, |
... | ... |
@@ -305,7 +318,10 @@ int dlp_is_valid_ssn(const unsigned char *buffer, int length, int format) |
305 | 305 |
} |
306 | 306 |
break; |
307 | 307 |
case SSN_FORMAT_STRIPPED: |
308 |
- if(sscanf((const char *) buffer, |
|
308 |
+ if(!cli_isnumber(numbuf)) |
|
309 |
+ return 0; |
|
310 |
+ |
|
311 |
+ if(sscanf((const char *) numbuf, |
|
309 | 312 |
"%3d%2d%4d", |
310 | 313 |
&area_number, |
311 | 314 |
&group_number, |
... | ... |
@@ -338,6 +354,9 @@ int dlp_is_valid_ssn(const unsigned char *buffer, int length, int format) |
338 | 338 |
if(group_number > ssn_max_group[area_number]) |
339 | 339 |
retval = 0; |
340 | 340 |
|
341 |
+ if(retval) |
|
342 |
+ cli_dbgmsg("dlp_is_valid_ssn: SSN_%s: %s\n", format == SSN_FORMAT_HYPHENS ? "HYPHENS" : "STRIPPED", numbuf); |
|
343 |
+ |
|
341 | 344 |
return retval; |
342 | 345 |
} |
343 | 346 |
|
... | ... |
@@ -357,7 +376,7 @@ static int contains_ssn(const unsigned char *buffer, int length, int format, int |
357 | 357 |
if(isdigit(*idx)) |
358 | 358 |
{ |
359 | 359 |
/* check for area number and the first hyphen */ |
360 |
- if(dlp_is_valid_ssn(idx, length - (idx - buffer), format) == 1) |
|
360 |
+ if((idx == buffer || !isdigit(idx[-1])) && dlp_is_valid_ssn(idx, length - (idx - buffer), format) == 1) |
|
361 | 361 |
{ |
362 | 362 |
if(detmode == DETECT_MODE_COUNT) |
363 | 363 |
{ |
... | ... |
@@ -62,7 +62,7 @@ struct cfgoption cfg_options[] = { |
62 | 62 |
{"StructuredMinCreditCardCount", OPT_NUM, 3, NULL, 0, OPT_CLAMD}, |
63 | 63 |
{"StructuredMinSSNCount", OPT_NUM, 3, NULL, 0, OPT_CLAMD}, |
64 | 64 |
{"StructuredSSNFormatNormal", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
65 |
- {"StructuredSSNFormatStripped", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
|
65 |
+ {"StructuredSSNFormatStripped", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
|
66 | 66 |
{"AlgorithmicDetection", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
67 | 67 |
{"ScanHTML", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
68 | 68 |
{"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |