API tools faq
paste
Advertisement
Guest User

archives.filetype.rules.conf

a guest
Nov 26th, 2023
45
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.34 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # NOTE: Fields are separated by TAB characters --- Important!
  3. #
  4. # Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
  5. #           then log text, then user report text.
  6. #
  7. # The "email-addresses" can be a space or comma-separated list of email
  8. # addresses. If the rule hits, the message will be sent to these address(es)
  9. # instead of the original recipients.
  10.  
  11. # Due to a bug in Outlook Express, you can make the 2nd from last extension
  12. # be what is used to run the file. So very long filenames must be denied,
  13. # regardless of the final extension.
  14. deny    .{150,}         Very long filename, possible OE attack                      Very long filenames are good signs of attacks against Microsoft e-mail packages
  15.  
  16. # JKF 10/08/2007 Adobe Acrobat nastiness
  17. deny    \.fdf$          Dangerous Adobe Acrobat data-file                       Opening this file can cause auto-loading of any file from the internet
  18.  
  19. # JKF 04/01/2005 More Microsoft security vulnerabilities
  20. deny    \.ico$          Windows icon file security vulnerability                    Possible buffer overflow in Windows
  21. deny    \.ani$          Windows animated cursor file security vulnerability             Possible buffer overflow in Windows
  22. deny    \.cur$          Windows cursor file security vulnerability                  Possible buffer overflow in Windows
  23. #deny   \.hlp$          Windows help file security vulnerability                    Possible buffer overflow in Windows
  24.  
  25. # These 4 are well known viruses.
  26. deny    pretty\s+park\.exe$ "Pretty Park" virus                             "Pretty Park" virus
  27. deny    happy99\.exe$       "Happy" virus                                   "Happy" virus
  28. deny    \.ceo$      WinEvar virus attachment                            Often used by the WinEvar virus
  29. deny    webpage\.rar$   I-Worm.Yanker virus attachment                          Often used by the I-Worm.Yanker virus
  30.  
  31. # JKF 08/07/2005 Several virus scanners may miss this one
  32. deny    \.cab$          Possible malicious Microsoft cabinet file                   Cabinet files may hide viruses
  33.  
  34. # These are in the archives which are Microsoft Office 2007 files (e.g. docx)
  35. allow   \.shp\.xml$     -   -
  36. allow   \.xml\d*\.rel$      -   -
  37. allow   \.x\d+\.rel$        -   -
  38. allow   \.rtf$          -   -
  39.  
  40. # These are known to be mostly harmless.
  41. allow   \.jpg$          -   -
  42. allow   \.gif$          -   -
  43. # .url is arguably dangerous, but I can't just ban it...
  44. allow   \.url$          -   -
  45. allow   \.vcf$          -   -
  46. allow   \.txt$          -   -
  47. allow   \.zip$          -   -
  48. allow   \.t?gz$         -   -
  49. allow   \.bz2$          -   -
  50. allow   \.Z$            -   -
  51. allow   \.rpm$          -   -
  52. # PGP and GPG
  53. allow   \.gpg$          -   -
  54. allow   \.pgp$          -   -
  55. allow   \.sig$          -   -
  56. allow   \.asc$          -   -
  57. # Macintosh archives
  58. allow   \.hqx$          -   -
  59. allow   \.sit.bin$      -   -
  60. allow   \.sea$          -   -
  61.  
  62. # These are known to be dangerous in almost all cases.
  63. deny    \.reg$      Possible Windows registry attack                        Windows registry entries are very dangerous in email
  64. deny    \.chm$      Possible compiled Help file-based virus                     Compiled help files are very dangerous in email
  65. # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
  66. deny    \.cnf$      Possible SpeedDial attack                           SpeedDials are very dangerous in email
  67. deny    \.hta$      Possible Microsoft HTML archive attack                      HTML archives are very dangerous in email
  68. deny    \.ins$      Possible Microsoft Internet Comm. Settings attack               Windows Internet Settings are dangerous in email
  69. deny    \.jse?$     Possible Microsoft JScript attack                       JScript Scripts are dangerous in email
  70. deny    \.job$      Possible Microsoft Task Scheduler attack                    Task Scheduler requests are dangerous in email
  71. deny    \.lnk$      Possible Eudora *.lnk security hole attack                  Eudora *.lnk security hole attack
  72. deny    \.ma[dfgmqrstvw]$   Possible Microsoft Access Shortcut attack               Microsoft Access Shortcuts are dangerous in email
  73. deny    \.pif$      Possible MS-Dos program shortcut attack                     Shortcuts to MS-Dos programs are very dangerous in email
  74. deny    \.scf$      Possible Windows Explorer Command attack                    Windows Explorer Commands are dangerous in email
  75. deny    \.sct$      Possible Microsoft Windows Script Component attack              Windows Script Components are dangerous in email
  76. deny    \.shb$      Possible document shortcut attack                       Shortcuts Into Documents are very dangerous in email
  77. deny    \.shs$      Possible Shell Scrap Object attack                      Shell Scrap Objects are very dangerous in email
  78. deny    \.vb[es]$   Possible Microsoft Visual Basic script attack                   Visual Basic Scripts are dangerous in email
  79. deny    \.ws[cfh]$  Possible Microsoft Windows Script Host attack                   Windows Script Host files are dangerous in email
  80. deny    \.xnk$      Possible Microsoft Exchange Shortcut attack                 Microsoft Exchange Shortcuts are dangerous in email
  81.  
  82. # These are new dangerous attachment types according to Microsoft in
  83. # http://support.microsoft.com/?kbid=883260
  84. #deny   \.cer$      Dangerous Security Certificate (according to Microsoft)             Dangerous attachment according to Microsoft Q883260
  85. deny    \.its$      Dangerous Internet Document Set (according to Microsoft)            Dangerous attachment according to Microsoft Q883260
  86. deny    \.mau$      Dangerous attachment type (according to Microsoft)              Dangerous attachment according to Microsoft Q883260
  87. deny    \.md[az]$   Dangerous attachment type (according to Microsoft)              Dangerous attachment according to Microsoft Q883260
  88. deny    \.prf$      Dangerous Outlook Profile Settings (according to Microsoft)         Dangerous attachment according to Microsoft Q883260
  89. deny    \.pst$      Dangerous Office Data File (according to Microsoft)             Dangerous attachment according to Microsoft Q883260
  90. #deny   \.tmp$      Dangerous Temporary File (according to Microsoft)               Dangerous attachment according to Microsoft Q883260
  91. deny    \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft)             Dangerous attachment according to Microsoft Q883260
  92. deny    \.vs[stw]$  Dangerous attachment type (according to Microsoft)              Dangerous attachment according to Microsoft Q883260
  93. deny    \.ws$       Dangerous Windows Script (according to Microsoft)               Dangerous attachment according to Microsoft Q883260
  94.  
  95.  
  96. # These 2 added by popular demand - Very often used by viruses
  97. deny    \.com$      Windows/DOS Executable                              Executable DOS/Windows programs are dangerous in email
  98. deny    \.exe$      Windows/DOS Executable                              Executable DOS/Windows programs are dangerous in email
  99.  
  100. # These are very dangerous and have been used to hide viruses
  101. deny    \.scr$      Possible virus hidden in a screensaver                      Windows Screensavers are often used to hide viruses
  102. deny    \.bat$      Possible malicious batch file script                        Batch files are often malicious
  103. deny    \.cmd$      Possible malicious batch file script                        Batch files are often malicious
  104. deny    \.cpl$      Possible malicious control panel item                       Control panel items are often used to hide viruses
  105. deny    \.mhtml$    Possible Eudora meta-refresh attack                     MHTML files can be used in an attack against Eudora
  106.  
  107. # Deny filenames containing CLSID's
  108. deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type               Files containing  CLSID's are trying to hide their real type
  109.  
  110. # Deny filenames with lots of contiguous white space in them.
  111. deny    \s{10,}     Filename contains lots of white space                       A long gap in a name is often used to hide part of it
  112.  
  113. # Allow repeated file extension, e.g. blah.zip.zip
  114. allow   (\.[a-z0-9]{3})\1$  -   -
  115.  
  116. # Allow days of the week and months in doc names, e.g. blah.wed.doc
  117. allow   \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$   -   -
  118. allow   \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$    -   -
  119.  
  120. # Diger
  121. allow   \.dbf$          -   -
  122.  
  123.  
  124. # Deny all other double file extensions. This catches any hidden filenames.
  125. deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding              Attempt to hide real filename extension
  126.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!