git-svn: trunk@3042
Tomasz Kojm authored on 2007/05/02 01:08:57... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Tue May 1 17:20:53 CEST 2007 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * prepare for enabling phishing code in non-experimental builds - apply |
|
4 |
+ patches from Edwin |
|
5 |
+ |
|
1 | 6 |
Tue May 1 13:13:56 CEST 2007 (tk) |
2 | 7 |
---------------------------------- |
3 | 8 |
* configure: remove libcurl checks |
... | ... |
@@ -302,12 +302,10 @@ int main(int argc, char **argv) |
302 | 302 |
else |
303 | 303 |
logg("Not loading phishing signatures.\n"); |
304 | 304 |
|
305 |
-#ifdef CL_EXPERIMENTAL |
|
306 | 305 |
if(cfgopt(copt,"PhishingScanURLs")->enabled) |
307 | 306 |
dboptions |= CL_DB_PHISHING_URLS; |
308 | 307 |
else |
309 | 308 |
logg("Disabling URL based phishing detection.\n"); |
310 |
-#endif |
|
311 | 309 |
|
312 | 310 |
if(cfgopt(copt, "NodalCoreAcceleration")->enabled) { |
313 | 311 |
#ifdef HAVE_NCORE |
... | ... |
@@ -431,7 +431,6 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
431 | 431 |
logg("HTML support disabled.\n"); |
432 | 432 |
} |
433 | 433 |
|
434 |
-#ifdef CL_EXPERIMENTAL |
|
435 | 434 |
if(cfgopt(copt,"PhishingScanURLs")->enabled) { |
436 | 435 |
|
437 | 436 |
if(cfgopt(copt,"PhishingRestrictedScan")->enabled) { |
... | ... |
@@ -457,7 +456,6 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
457 | 457 |
logg("Phishing: Always checking for ssl mismatches\n"); |
458 | 458 |
} |
459 | 459 |
} |
460 |
-#endif /* CL_EXPERIMENTAL */ |
|
461 | 460 |
|
462 | 461 |
selfchk = cfgopt(copt, "SelfCheck")->numarg; |
463 | 462 |
if(!selfchk) { |
... | ... |
@@ -300,12 +300,10 @@ void help(void) |
300 | 300 |
mprintf("\n"); |
301 | 301 |
mprintf(" --no-mail Disable mail file support\n"); |
302 | 302 |
mprintf(" --no-phishing-sigs Disable signature-based phishing detection\n"); |
303 |
-#ifdef CL_EXPERIMENTAL |
|
304 | 303 |
mprintf(" --no-phishing-scan-urls Disable url-based phishing detection\n"); |
305 | 304 |
mprintf(" --no-phishing-restrictedscan Enable phishing detection for all domains (might lead to false positives!)\n"); |
306 | 305 |
mprintf(" --phishing-ssl Always block SSL mismatches in URLs (phishing module)\n"); |
307 | 306 |
mprintf(" --phishing-cloak Always block cloaked URLs (phishing module)\n"); |
308 |
-#endif |
|
309 | 307 |
mprintf(" --no-algorithmic Disable algorithmic detection\n"); |
310 | 308 |
mprintf(" --no-pe Disable PE analysis\n"); |
311 | 309 |
mprintf(" --no-elf Disable ELF support\n"); |
... | ... |
@@ -75,12 +75,10 @@ static struct option clamscan_longopt[] = { |
75 | 75 |
{"no-mail", 0, 0, 0}, |
76 | 76 |
{"mail-follow-urls", 0, 0, 0}, |
77 | 77 |
{"no-phishing-sigs", 0, 0, 0}, |
78 |
-#ifdef CL_EXPERIMENTAL |
|
79 | 78 |
{"no-phishing-scan-urls", 0, 0, 0}, |
80 | 79 |
{"no-phishing-restrictedscan", 0, 0, 0}, |
81 | 80 |
{"phishing-ssl", 0, 0, 0}, |
82 | 81 |
{"phishing-cloak", 0, 0, 0}, |
83 |
-#endif |
|
84 | 82 |
{"no-algorithmic", 0, 0, 0}, |
85 | 83 |
{"unzip", 2, 0, 0}, |
86 | 84 |
{"unrar", 2, 0, 0}, |
... | ... |
@@ -171,7 +171,6 @@ int scanmanager(const struct optstruct *opt) |
171 | 171 |
if(!opt_check(opt, "no-phishing-sigs")) |
172 | 172 |
dboptions |= CL_DB_PHISHING; |
173 | 173 |
|
174 |
-#ifdef CL_EXPERIMENTAL |
|
175 | 174 |
if(!opt_check(opt,"no-phishing-scan-urls")) |
176 | 175 |
dboptions |= CL_DB_PHISHING_URLS; |
177 | 176 |
if(!opt_check(opt,"no-phishing-restrictedscan")) { |
... | ... |
@@ -184,7 +183,6 @@ int scanmanager(const struct optstruct *opt) |
184 | 184 |
if(opt_check(opt,"phishing-cloak")) { |
185 | 185 |
options |= CL_SCAN_PHISHING_BLOCKCLOAK; |
186 | 186 |
} |
187 |
-#endif |
|
188 | 187 |
|
189 | 188 |
if(opt_check(opt, "dev-ac-only")) |
190 | 189 |
dboptions |= CL_DB_ACONLY; |
... | ... |
@@ -39,6 +39,12 @@ struct dconf_module { |
39 | 39 |
uint8_t state; /* default state (on/off) */ |
40 | 40 |
}; |
41 | 41 |
|
42 |
+#ifdef CL_EXPERIMENTAL |
|
43 |
+#define DCONF_ENABLE_EXPERIMENTAL 1 |
|
44 |
+#else |
|
45 |
+#define DCONF_ENABLE_EXPERIMENTAL 0 |
|
46 |
+#endif |
|
47 |
+ |
|
42 | 48 |
static struct dconf_module modules[] = { |
43 | 49 |
|
44 | 50 |
{ "PE", "PARITE", PE_CONF_PARITE, 1 }, |
... | ... |
@@ -88,6 +94,9 @@ static struct dconf_module modules[] = { |
88 | 88 |
{ "OTHER", "JPEG", OTHER_CONF_JPEG, 1 }, |
89 | 89 |
{ "OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1 }, |
90 | 90 |
|
91 |
+ { "PHISHING", "ENGINE", PHISHING_CONF_ENGINE, 1 }, |
|
92 |
+ { "PHISHING", "ENTCONV", PHISHING_CONF_ENTCONV, DCONF_ENABLE_EXPERIMENTAL }, /* exp */ |
|
93 |
+ |
|
91 | 94 |
{ NULL, NULL, 0, 0 } |
92 | 95 |
}; |
93 | 96 |
|
... | ... |
@@ -125,6 +134,9 @@ struct cli_dconf *cli_dconf_init(void) |
125 | 125 |
} else if(!strcmp(modules[i].mname, "OTHER")) { |
126 | 126 |
if(modules[i].state) |
127 | 127 |
dconf->other |= modules[i].bflag; |
128 |
+ } else if(!strcmp(modules[i].mname, "PHISHING")) { |
|
129 |
+ if(modules[i].state) |
|
130 |
+ dconf->phishing |= modules[i].bflag; |
|
128 | 131 |
} |
129 | 132 |
} |
130 | 133 |
|
... | ... |
@@ -133,7 +145,7 @@ struct cli_dconf *cli_dconf_init(void) |
133 | 133 |
|
134 | 134 |
void cli_dconf_print(struct cli_dconf *dconf) |
135 | 135 |
{ |
136 |
- uint8_t pe = 0, elf = 0, arch = 0, doc = 0, mail = 0, other = 0; |
|
136 |
+ uint8_t pe = 0, elf = 0, arch = 0, doc = 0, mail = 0, other = 0, phishing=0; |
|
137 | 137 |
unsigned int i; |
138 | 138 |
|
139 | 139 |
|
... | ... |
@@ -196,6 +208,15 @@ void cli_dconf_print(struct cli_dconf *dconf) |
196 | 196 |
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->other & modules[i].bflag) ? "On" : "** Off **"); |
197 | 197 |
else |
198 | 198 |
continue; |
199 |
+ } else if(!strcmp(modules[i].mname, "PHISHING")) { |
|
200 |
+ if(!phishing) { |
|
201 |
+ cli_dbgmsg("Module PHISHING %s\n", dconf->phishing ? "On" : "Off"); |
|
202 |
+ phishing = 1; |
|
203 |
+ } |
|
204 |
+ if(dconf->phishing) |
|
205 |
+ cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->phishing & modules[i].bflag) ? "On" : "** Off **"); |
|
206 |
+ else |
|
207 |
+ continue; |
|
199 | 208 |
} |
200 | 209 |
} |
201 | 210 |
} |
... | ... |
@@ -309,6 +330,15 @@ int cli_dconf_load(FILE *fd, struct cl_engine **engine, unsigned int options) |
309 | 309 |
break; |
310 | 310 |
} |
311 | 311 |
} |
312 |
+ |
|
313 |
+ if(!strncmp(buffer, "PHISHING:", 9) && chkflevel(buffer, 2)) { |
|
314 |
+ if(sscanf(buffer + 9, "0x%x", &val) == 1) { |
|
315 |
+ dconf->phishing = val; |
|
316 |
+ } else { |
|
317 |
+ ret = CL_EMALFDB; |
|
318 |
+ break; |
|
319 |
+ } |
|
320 |
+ } |
|
312 | 321 |
} |
313 | 322 |
|
314 | 323 |
if(ret) { |
... | ... |
@@ -31,6 +31,7 @@ struct cli_dconf { |
31 | 31 |
uint32_t doc; |
32 | 32 |
uint32_t mail; |
33 | 33 |
uint32_t other; |
34 |
+ uint32_t phishing; |
|
34 | 35 |
}; |
35 | 36 |
|
36 | 37 |
/* PE flags */ |
... | ... |
@@ -80,6 +81,9 @@ struct cli_dconf { |
80 | 80 |
#define OTHER_CONF_JPEG 0x8 |
81 | 81 |
#define OTHER_CONF_CRYPTFF 0x10 |
82 | 82 |
|
83 |
+/* Phishing flags */ |
|
84 |
+#define PHISHING_CONF_ENGINE 0x1 |
|
85 |
+#define PHISHING_CONF_ENTCONV 0x2 |
|
83 | 86 |
|
84 | 87 |
struct cli_dconf *cli_dconf_init(void); |
85 | 88 |
void cli_dconf_print(struct cli_dconf *dconf); |
... | ... |
@@ -37,10 +37,8 @@ |
37 | 37 |
#include "matcher-ac.h" |
38 | 38 |
#include "str.h" |
39 | 39 |
|
40 |
-#ifdef CL_EXPERIMENTAL |
|
41 | 40 |
#include "htmlnorm.h" |
42 | 41 |
#include "entconv.h" |
43 |
-#endif |
|
44 | 42 |
|
45 | 43 |
struct cli_magic_s { |
46 | 44 |
size_t offset; |
... | ... |
@@ -287,8 +285,7 @@ cli_file_t cli_filetype2(int desc, const struct cl_engine *engine) |
287 | 287 |
} |
288 | 288 |
cli_ac_freedata(&mdata); |
289 | 289 |
|
290 |
-#ifdef CL_EXPERIMENTAL |
|
291 |
- if(ret != CL_TYPE_HTML_UTF16) { |
|
290 |
+ if((((struct cli_dconf*) engine->dconf)->phishing & PHISHING_CONF_ENTCONV) && ret != CL_TYPE_HTML_UTF16) { |
|
292 | 291 |
struct entity_conv conv; |
293 | 292 |
const size_t conv_size = 2*bread < 256 ? 256 : 2*bread; |
294 | 293 |
|
... | ... |
@@ -324,7 +321,6 @@ cli_file_t cli_filetype2(int desc, const struct cl_engine *engine) |
324 | 324 |
cli_warnmsg("cli_filetype2: Error initializing entity converter\n"); |
325 | 325 |
} |
326 | 326 |
} |
327 |
-#endif /* CL_EXPERIMENTAL */ |
|
328 | 327 |
} |
329 | 328 |
} |
330 | 329 |
|
... | ... |
@@ -55,12 +55,10 @@ |
55 | 55 |
#include "lockdb.h" |
56 | 56 |
#include "readdb.h" |
57 | 57 |
|
58 |
-#ifdef CL_EXPERIMENTAL |
|
59 | 58 |
#include "phishcheck.h" |
60 | 59 |
#include "phish_whitelist.h" |
61 | 60 |
#include "phish_domaincheck_db.h" |
62 | 61 |
#include "regex_list.h" |
63 |
-#endif |
|
64 | 62 |
|
65 | 63 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
66 | 64 |
#include <limits.h> |
... | ... |
@@ -275,9 +273,7 @@ int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hex |
275 | 275 |
|
276 | 276 |
int cli_initengine(struct cl_engine **engine, unsigned int options) |
277 | 277 |
{ |
278 |
-#ifdef CL_EXPERIMENTAL |
|
279 | 278 |
int ret; |
280 |
-#endif |
|
281 | 279 |
|
282 | 280 |
|
283 | 281 |
if(!*engine) { |
... | ... |
@@ -309,11 +305,9 @@ int cli_initengine(struct cl_engine **engine, unsigned int options) |
309 | 309 |
} |
310 | 310 |
} |
311 | 311 |
|
312 |
-#ifdef CL_EXPERIMENTAL |
|
313 |
- if(options & CL_DB_PHISHING_URLS) |
|
312 |
+ if((options & CL_DB_PHISHING_URLS) && (((struct cli_dconf*) (*engine)->dconf)->phishing & PHISHING_CONF_ENGINE)) |
|
314 | 313 |
if((ret = phishing_init(*engine))) |
315 | 314 |
return ret; |
316 |
-#endif |
|
317 | 315 |
|
318 | 316 |
return CL_SUCCESS; |
319 | 317 |
} |
... | ... |
@@ -418,7 +412,6 @@ static int cli_loaddb(FILE *fd, struct cl_engine **engine, unsigned int *signo, |
418 | 418 |
return CL_SUCCESS; |
419 | 419 |
} |
420 | 420 |
|
421 |
-#ifdef CL_EXPERIMENTAL |
|
422 | 421 |
static int cli_loadwdb(FILE *fd, struct cl_engine **engine, unsigned int options) |
423 | 422 |
{ |
424 | 423 |
int ret = 0; |
... | ... |
@@ -429,6 +422,9 @@ static int cli_loadwdb(FILE *fd, struct cl_engine **engine, unsigned int options |
429 | 429 |
return ret; |
430 | 430 |
} |
431 | 431 |
|
432 |
+ if(!(((struct cli_dconf *) (*engine)->dconf)->phishing & PHISHING_CONF_ENGINE)) |
|
433 |
+ return CL_SUCCESS; |
|
434 |
+ |
|
432 | 435 |
if(!(*engine)->whitelist_matcher) { |
433 | 436 |
if((ret = init_whitelist(*engine))) { |
434 | 437 |
phishing_done(*engine); |
... | ... |
@@ -456,6 +452,9 @@ static int cli_loadpdb(FILE *fd, struct cl_engine **engine, unsigned int options |
456 | 456 |
return ret; |
457 | 457 |
} |
458 | 458 |
|
459 |
+ if(!(((struct cli_dconf *) (*engine)->dconf)->phishing & PHISHING_CONF_ENGINE)) |
|
460 |
+ return CL_SUCCESS; |
|
461 |
+ |
|
459 | 462 |
if(!(*engine)->domainlist_matcher) { |
460 | 463 |
if((ret = init_domainlist(*engine))) { |
461 | 464 |
phishing_done(*engine); |
... | ... |
@@ -472,7 +471,6 @@ static int cli_loadpdb(FILE *fd, struct cl_engine **engine, unsigned int options |
472 | 472 |
|
473 | 473 |
return CL_SUCCESS; |
474 | 474 |
} |
475 |
-#endif |
|
476 | 475 |
|
477 | 476 |
#define NDB_TOKENS 6 |
478 | 477 |
static int cli_loadndb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned short sdb, unsigned int options) |
... | ... |
@@ -1017,7 +1015,6 @@ static int cli_load(const char *filename, struct cl_engine **engine, unsigned in |
1017 | 1017 |
else |
1018 | 1018 |
#endif |
1019 | 1019 |
skipped = 1; |
1020 |
-#ifdef CL_EXPERIMENTAL |
|
1021 | 1020 |
} else if(cli_strbcasestr(filename, ".wdb")) { |
1022 | 1021 |
if(options & CL_DB_PHISHING_URLS) |
1023 | 1022 |
ret = cli_loadwdb(fd, engine, options); |
... | ... |
@@ -1028,7 +1025,6 @@ static int cli_load(const char *filename, struct cl_engine **engine, unsigned in |
1028 | 1028 |
ret = cli_loadpdb(fd, engine, options); |
1029 | 1029 |
else |
1030 | 1030 |
skipped = 1; |
1031 |
-#endif |
|
1032 | 1031 |
} else { |
1033 | 1032 |
cli_dbgmsg("cli_load: unknown extension - assuming old database format\n"); |
1034 | 1033 |
ret = cli_loaddb(fd, engine, signo, options); |
... | ... |
@@ -1108,10 +1104,8 @@ static int cli_loaddbdir_l(const char *dirname, struct cl_engine **engine, unsig |
1108 | 1108 |
cli_strbcasestr(dent->d_name, ".sdb") || |
1109 | 1109 |
cli_strbcasestr(dent->d_name, ".zmd") || |
1110 | 1110 |
cli_strbcasestr(dent->d_name, ".rmd") || |
1111 |
-#ifdef CL_EXPERIMENTAL |
|
1112 | 1111 |
cli_strbcasestr(dent->d_name, ".pdb") || |
1113 | 1112 |
cli_strbcasestr(dent->d_name, ".wdb") || |
1114 |
-#endif |
|
1115 | 1113 |
cli_strbcasestr(dent->d_name, ".ncdb") || |
1116 | 1114 |
cli_strbcasestr(dent->d_name, ".inc") || |
1117 | 1115 |
cli_strbcasestr(dent->d_name, ".cvd"))) { |
... | ... |
@@ -1265,10 +1259,8 @@ int cl_statinidir(const char *dirname, struct cl_stat *dbstat) |
1265 | 1265 |
cli_strbcasestr(dent->d_name, ".zmd") || |
1266 | 1266 |
cli_strbcasestr(dent->d_name, ".rmd") || |
1267 | 1267 |
cli_strbcasestr(dent->d_name, ".cfg") || |
1268 |
-#ifdef CL_EXPERIMENTAL |
|
1269 | 1268 |
cli_strbcasestr(dent->d_name, ".pdb") || |
1270 | 1269 |
cli_strbcasestr(dent->d_name, ".wdb") || |
1271 |
-#endif |
|
1272 | 1270 |
cli_strbcasestr(dent->d_name, ".ncdb") || |
1273 | 1271 |
cli_strbcasestr(dent->d_name, ".inc") || |
1274 | 1272 |
cli_strbcasestr(dent->d_name, ".cvd"))) { |
... | ... |
@@ -1379,10 +1371,8 @@ int cl_statchkdir(const struct cl_stat *dbstat) |
1379 | 1379 |
cli_strbcasestr(dent->d_name, ".zmd") || |
1380 | 1380 |
cli_strbcasestr(dent->d_name, ".rmd") || |
1381 | 1381 |
cli_strbcasestr(dent->d_name, ".cfg") || |
1382 |
-#ifdef CL_EXPERIMENTAL |
|
1383 | 1382 |
cli_strbcasestr(dent->d_name, ".pdb") || |
1384 | 1383 |
cli_strbcasestr(dent->d_name, ".wdb") || |
1385 |
-#endif |
|
1386 | 1384 |
cli_strbcasestr(dent->d_name, ".ncdb") || |
1387 | 1385 |
cli_strbcasestr(dent->d_name, ".inc") || |
1388 | 1386 |
cli_strbcasestr(dent->d_name, ".cvd"))) { |
... | ... |
@@ -1553,9 +1543,8 @@ void cl_free(struct cl_engine *engine) |
1553 | 1553 |
free(metah); |
1554 | 1554 |
} |
1555 | 1555 |
|
1556 |
-#ifdef CL_EXPERIMENTAL |
|
1557 |
- phishing_done(engine); |
|
1558 |
-#endif |
|
1556 |
+ if(((struct cli_dconf *) engine->dconf)->phishing & PHISHING_CONF_ENGINE) |
|
1557 |
+ phishing_done(engine); |
|
1559 | 1558 |
|
1560 | 1559 |
if(engine->dconf) |
1561 | 1560 |
free(engine->dconf); |
... | ... |
@@ -49,14 +49,12 @@ struct cfgoption cfg_options[] = { |
49 | 49 |
{"MailFollowURLs", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
50 | 50 |
{"MailMaxRecursion", OPT_NUM, 64, NULL, 0, OPT_CLAMD}, |
51 | 51 |
{"PhishingSignatures", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
52 |
-#ifdef CL_EXPERIMENTAL |
|
53 | 52 |
{"PhishingScanURLs",OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
54 | 53 |
/* these are FP prone options, if default isn't used */ |
55 | 54 |
{"PhishingAlwaysBlockCloak", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
56 | 55 |
{"PhishingAlwaysBlockSSLMismatch", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
57 | 56 |
{"PhishingRestrictedScan", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
58 | 57 |
/* end of FP prone options */ |
59 |
-#endif |
|
60 | 58 |
{"AlgorithmicDetection", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
61 | 59 |
{"ScanHTML", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
62 | 60 |
{"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |