diff --git a/README.md b/README.md index 1d02c3e3..c44dd9bb 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,18 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] ## Change Log +### Version 7.2.1 (13 December 2020) + +* eXtremeSHOK.com Maintenance +* Change yararule email/Email_generic_phishing.yar to HIGH +* New config option: force_host, by default dig is used when dig and host is present. +* Refactor and correct the assigning of binaries/commands +* Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 +* Ensure only dig or host is used when either dig or host is enabled +* Enable remove_disabled_databases by default +* Fix disabled databases removed when "$remove_disabled_databases" is set to "no" +* Incremented the config to version 95 + ### Version 7.2 (07 December 2020) * Database rating downgrades are now supported, eg, changing from HIGH to LOW will remove the HIGH and MEDIUM rated databases. @@ -252,12 +264,12 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Incremented the config to version 92 * Thank you @dandanio @jkellerer @m0urs @Mrothyr @msapiro @orlitzky @RobbieTheK @SlothOfAnarchy -### Version 7.0.1 (25 January 2020) +### Version 7.0.1 * Disable yara project rules duplicated in rxfn.yara (Thanks @dominicraf) * Incremented the config to version 91 -### Version 7.0.0 (24 January 2020) +### Version 7.0.0 * eXtremeSHOK.com Maintenance * Added urlhaus database @@ -290,7 +302,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Only check for and notify about script updates every 12hours * Incremented the config to version 90 -### Version 6.1.1 (02 September 2019) +### Version 6.1.1 * eXtremeSHOK.com Maintenance * Update os.archlinux.conf, thanks @amishmm @@ -305,7 +317,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Minor enhancement to travis-ci checks * Incremented the config to version 77 -### Version 6.1.0 (27 August 2019) +### Version 6.1.0 * eXtremeSHOK.com Maintenance * Thanks Reio Remma & Oliver Nissen diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh old mode 100644 new mode 100755 index 13b47a9d..6484873f --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -1530,9 +1530,9 @@ EOF ################################################################################ # Script Info -script_version="7.2" -script_version_date="2020-12-02" -minimum_required_config_version="94" +script_version="7.2.1" +script_version_date="2020-12-13" +minimum_required_config_version="95" minimum_yara_clamav_version="0.100" # Discover script: name, full_path and path @@ -1619,7 +1619,7 @@ else xshok_pretty_echo_and_log "WARNING: ${config_dir}/user.conf is not readable" fi -# Solaris command -v function returns garbage when the program is not found +# Solaris command -v function returns garbage when the program is not found k # only define the new command -v function if running under Solaris if [ "$(uname -s)" == "SunOS" ] ; then function which() { @@ -1628,82 +1628,49 @@ if [ "$(uname -s)" == "SunOS" ] ; then } fi -# Default Binaries & Commands -uname_bin="$(command -v uname 2> /dev/null)" -clamscan_bin="$(command -v clamscan 2> /dev/null)" -rsync_bin="$(command -v rsync 2> /dev/null)" - -# Detect supprot for gnu grep -if [ -x /usr/gnu/bin/grep ] ; then - grep_bin="/usr/gnu/bin/grep" -else - grep_bin="$(command -v grep 2> /dev/null)" -fi -if [ -z "$grep_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: grep command is missing" - exit 1 - fi -# Detect support for sed or gsed -if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then - sed_executable="gsed" -else - sed_executable="sed" -fi -if [ -z "$sed_bin" ]; then - sed_bin="$(command -v "$sed_executable" 2> /dev/null)" +# sed_bin, this is required to be known upfront, due to how the configs are read. +if [ -z "$sed_bin" ] ; then + # Detect support for sed or gsed + if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then + sed_bin="$(command -v gsed 2> /dev/null)" + if [ -z "$sed_bin" ]; then + xshok_pretty_echo_and_log "ERROR: gsed (gnu sed) is missing" + exit 1 + fi else - xshok_pretty_echo_and_log "ERROR: gsed (gnu sed) is missing" + sed_bin="$(command -v sed 2> /dev/null)" + if [ -z "$sed_bin" ]; then + xshok_pretty_echo_and_log "ERROR: sed is missing" + exit 1 + fi + fi +elif [[ "$sed_bin" =~ "/" ]] ; then + if [ ! -x "$sed_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: sed (${sed_bin}) is not executable" exit 1 + + fi fi -# Detect support for tar or gtar -if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then - tar_executable="gtar" -else - tar_executable="tar" -fi -if [ -z "$tar_bin" ]; then - tar_bin="$(command -v "$tar_executable" 2> /dev/null)" +# grep_bin, this is required to be known upfront, due to how the configs are read. +if [ -z "$grep_bin" ] ; then + # Detect support for grep or gnugrep + if [ -x /usr/gnu/bin/grep ] ; then + grep_bin="/usr/gnu/bin/grep" else - xshok_pretty_echo_and_log "ERROR: gtar (gnu tar) is missing" + grep_bin="$(command -v grep 2> /dev/null)" + if [ -z "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep binary (grep_bin) not found" + exit 1 + fi + fi +elif [[ "$grep_bin" =~ "/" ]] ; then + if [ ! -x "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep (${grep_bin}) is not executable" exit 1 -fi -# Detect support for curl -if [ -z "$curl_bin" ]; then - curl_bin="$(command -v curl 2> /dev/null)" -fi -# Detect support for wget -if [ -z "$wget_bin" ]; then - if [ -x /usr/sfw/bin/wget ] ; then - wget_bin="/usr/sfw/bin/wget" - else - wget_bin="$(command -v wget 2> /dev/null)" + fi fi -if [ -z "$wget_bin" ] && [ -z "$curl_bin" ]; then - curl_bin="$(command -v curl 2> /dev/null)" - if [ -z "$curl_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: both wget and curl commands are missing, One of them is required" - exit 1 - fi -fi -if [ -n "$wget_bin" ] ; then - # wget compression support - if $wget_bin --help | $grep_bin -q "compression=TYPE" ; then - wget_compression="--compression=auto" - else - wget_compression="" - fi -fi -# Detect support for dig or host -dig_bin="$(command -v dig 2> /dev/null)" -if [ -n "$dig_bin" ] ; then - host_bin="$(command -v host 2> /dev/null)" - if [ -z "$host_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: both dig and host commands are missing, One of them is required" - exit 1 - fi -fi # Detect if terminal if [ -t 1 ] ; then # Set fonts @@ -1722,7 +1689,6 @@ else force_verbose="no" fi - # Generic command line options while true ; do case "${1}" in @@ -1995,58 +1961,168 @@ fi # dont assign , but remove trailing / shopt -s extglob; clam_dbs="${clam_dbs%%+(/)}" -# Force wget over curl. -if [ -n "$wget_bin" ] && [ "$force_wget" == "yes" ] ; then - xshok_pretty_echo_and_log "NOTICE: Forcing wget" - curl_bin="" -fi +##################################################################################################### +# Assign and Check Binaries/Commands +# clamscan_bin +if [ -z "$clamscan_bin" ] && [ "${1}" != "--remove-script" ] ; then + clamscan_bin="$(command -v clamscan 2> /dev/null)" + if [ -z "$clamscan_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: clamscan binary (clamscan_bin) not found" + exit 1 + fi +elif [[ "$clamscan_bin" =~ "/" ]] && [ "${1}" != "--remove-script" ] ; then + if [ ! -x "$clamscan_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: clamscan_bin (${clamscan_bin})is not executable" + exit 1 -# SANITY checks -# Check default Binaries & Commands are defined -if [ "$reload_dbs" == "yes" ] ; then - if [ -z "$clamd_reload_opt" ] ; then - xshok_pretty_echo_and_log "ERROR: Missing clamd_reload_opt" - exit 1 - fi + fi fi +# uname_bin if [ -z "$uname_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: uname (uname_bin) not found" - exit 1 -fi -if [ -z "$clamscan_bin" ] ; then - if [ "${1}" != "--remove-script" ] ; then - xshok_pretty_echo_and_log "ERROR: clamscan binary (clamscan_bin) not found" + uname_bin="$(command -v uname 2> /dev/null)" + if [ -z "$uname_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: uname binary (uname_bin) not found" + exit 1 + fi +elif [[ "$uname_bin" =~ "/" ]] ; then + if [ ! -x "$uname_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: uname_bin (${uname_bin}) is not executable" + exit 1 + fi - exit 1 fi +# rsync_bin if [ -z "$rsync_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: rsync binary (rsync_bin) not found" - exit 1 -fi -if [ -z "$curl_bin" ] ; then - if [ -z "$wget_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: wget and curl binaries not found, script requires either wget or curl" - exit 1 - fi + rsync_bin="$(command -v rsync 2> /dev/null)" + if [ -z "$rsync_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: rsync binary (rsync_bin) not found" + exit 1 + fi +elif [[ "$rsync_bin" =~ "/" ]] ; then + if [ ! -x "$rsync_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: rsync_bin (${rsync_bin}) is not executable" + exit 1 + + fi fi -# Check if GPG is enabled and the binary is found -if [ "$enable_gpg" == "yes" ] ; then - if [ -z "$gpg_bin" ] ; then - if [ -x /opt/csw/bin/gpg ] ; then - gpg_bin="/opt/csw/bin/gpg" +# tar_bin +if [ -z "$tar_bin" ] ; then + # Detect support for tar or gtar + if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then + tar_bin="$(command -v gtar 2> /dev/null)" else - gpg_bin="$(command -v gpg 2> /dev/null)" + tar_bin="$(command -v tar 2> /dev/null)" + fi + if [ -z "$tar_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: tar or gtar binary (tar_bin) not found" + exit 1 fi +elif [[ "$tar_bin" =~ "/" ]] ; then + if [ ! -x "$tar_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: tar_bin (${tar_bin}) is not executable" + exit 1 + + fi +fi +# gpg_bin +if [ "$enable_gpg" == "yes" ] ; then if [ -z "$gpg_bin" ] ; then - gpg_bin="$(command -v gpg2 2> /dev/null)" + if [ -x "/opt/csw/bin/gpg" ] ; then + gpg_bin="/opt/csw/bin/gpg" + else + gpg_bin="$(command -v gpg 2> /dev/null)" + if [ -z "$gpg_bin" ] ; then + enable_gpg="no" + fi + fi + elif [[ "$gpg_bin" =~ "/" ]] ; then + if [ ! -x "$gpg_bin" ] ; then + enable_gpg="no" + fi + fi +fi +# curl_bin +if [ -z "$curl_bin" ] ; then + curl_bin="$(command -v curl 2> /dev/null)" +elif [[ "$curl_bin" =~ "/" ]] ; then + if [ ! -x "$curl_bin" ] ; then + curl_bin="" + fi +fi +# wget_bin +if [ -z "$curl_bin" ] || [ "$force_wget" == "yes" ] ; then + if [ -z "$wget_bin" ] ; then + if [ -x /usr/sfw/bin/wget ] ; then + wget_bin="/usr/sfw/bin/wget" + else + wget_bin="$(command -v wget 2> /dev/null)" + if [ -z "$wget_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: both wget (wget_bin) and curl (curl_bin) commands are missing, One of them is required" + exit 1 + fi + fi + elif [[ "$wget_bin" =~ "/" ]] ; then + if [ ! -x "$wget_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: wget_bin (${wget_bin}) is not executable" + exit 1 + + fi + fi + if [ -n "$wget_bin" ] ; then + # wget compression support + if $wget_bin --help 2> /dev/null | $grep_bin -q "compression=TYPE" 2> /dev/null ; then + wget_compression="--compression=auto" + else + wget_compression="" + fi + fi +else + wget_bin="" + wget_compression="" + force_wget="no" +fi + + +# dig_bin +if [ -z "$dig_bin" ] ; then + dig_bin="$(command -v dig 2> /dev/null)" +elif [[ "$dig_bin" =~ "/" ]] ; then + if [ ! -x "$dig_bin" ] ; then + dig_bin="" + fi +fi +# host_bin +if [ -z "$dig_bin" ] || [ "$force_host" == "yes" ] ; then + if [ -z "$host_bin" ] ; then + host_bin="$(command -v host 2> /dev/null)" + if [ -z "$host_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: both host (host_bin) and dig (dig_bin) commands are missing, One of them is required" + exit 1 + fi + elif [[ "$host_bin" =~ "/" ]] ; then + if [ ! -x "$host_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: host_bin (${host_bin}) is not executable" + exit 1 + + fi + fi +else + host_bin="" + force_host="no" +fi + + + +##################################################################################################### + + +# SANITY checks +# Check default Binaries & Commands are defined +if [ "$reload_dbs" == "yes" ] ; then + if [ -z "$clamd_reload_opt" ] ; then + xshok_pretty_echo_and_log "ERROR: Missing clamd_reload_opt" + exit 1 fi - fi - if [ -z "$gpg_bin" ] ; then - enable_gpg="no" - fi - if [ ! -x "$gpg_bin" ] ; then - enable_gpg="no" - fi fi if [ "$enable_gpg" != "yes" ] ; then xshok_pretty_echo_and_log "NOTICE: GnuPG / signature verification disabled" @@ -2099,9 +2175,9 @@ if [ "$enable_locking" == "yes" ] ; then else xshok_create_pid_file "$pid_file_fullpath" fi - else - xshok_create_pid_file "$pid_file_fullpath" - fi + else + xshok_create_pid_file "$pid_file_fullpath" + fi # Run this wehen the script exits trap -- "rm -f $pid_file_fullpath" EXIT fi @@ -2280,39 +2356,48 @@ else enable_yararules="no" fi +############################################################################################ # Generate the signature databases +############################################################################################ if [ "$sanesecurity_enabled" == "yes" ] ; then if [ -n "$sanesecurity_dbs" ] ; then if [ -n "$sanesecurity_dbs_rating" ] ; then temp_db="$(xshok_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" + fi fi sanesecurity_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a sanesecurity_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${sanesecurity_dbs[@]}")" fi sanesecurity_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a sanesecurity_remove_dbs <<< "$temp_remove_db" fi - ############################################################################################ if [ "$securiteinfo_enabled" == "yes" ] ; then if [ -n "$securiteinfo_dbs" ] ; then if [ -n "$securiteinfo_dbs_rating" ] ; then temp_db="$(xshok_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" + fi fi securiteinfo_dbs=( ) if [ -n "$temp_db" ] ; then @@ -2320,30 +2405,34 @@ if [ "$securiteinfo_enabled" == "yes" ] ; then read -r -a securiteinfo_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${securiteinfo_dbs[@]}")" fi securiteinfo_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a securiteinfo_remove_dbs <<< "$temp_remove_db" fi if [ "$securiteinfo_enabled" == "yes" ] ; then if [ -n "$securiteinfo_premium_dbs" ] && [ "$securiteinfo_premium" == "yes" ] ; then if [ -n "$securiteinfo_dbs_rating" ] ; then temp_db="$(xshok_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + fi fi if [ -n "$temp_db" ] ; then read -r -a securiteinfo_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${securiteinfo_premium_dbs[@]}")" fi -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a securiteinfo_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2351,21 +2440,25 @@ if [ "$linuxmalwaredetect_enabled" == "yes" ] ; then if [ -n "$linuxmalwaredetect_dbs" ] ; then if [ -n "$linuxmalwaredetect_dbs_rating" ] ; then temp_db="$(xshok_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + fi fi linuxmalwaredetect_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a linuxmalwaredetect_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${linuxmalwaredetect_dbs[@]}")" fi linuxmalwaredetect_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a linuxmalwaredetect_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2373,21 +2466,25 @@ if [ "$interserver_enabled" == "yes" ] ; then if [ -n "$interserver_dbs" ] ; then if [ -n "$interserver_dbs_rating" ] ; then temp_db="$(xshok_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${interserver_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${interserver_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${interserver_dbs[@]}")" + fi fi interserver_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a interserver_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${interserver_dbs[@]}")" fi interserver_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a interserver_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2395,21 +2492,25 @@ if [ "$malwareexpert_enabled" == "yes" ] ; then if [ -n "$malwareexpert_dbs" ] ; then if [ -n "$malwareexpert_dbs_rating" ] ; then temp_db="$(xshok_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" + fi fi malwareexpert_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a malwareexpert_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${malwareexpert_dbs[@]}")" fi malwareexpert_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a malwareexpert_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2417,35 +2518,40 @@ if [ "$yararulesproject_enabled" == "yes" ] ; then if [ -n "$yararulesproject_dbs" ] ; then if [ -n "$yararulesproject_dbs_rating" ] ; then temp_db="$(xshok_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" + fi fi yararulesproject_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a yararulesproject_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${yararulesproject_dbs[@]}")" fi yararulesproject_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a yararulesproject_remove_dbs <<< "$temp_remove_db" fi - - - ############################################################################################ if [ "$urlhaus_enabled" == "yes" ] ; then if [ -n "$urlhaus_dbs" ] ; then if [ -n "$urlhaus_dbs_rating" ] ; then temp_db="$(xshok_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" + fi fi urlhaus_dbs=( ) if [ -n "$temp_db" ] ; then @@ -2453,11 +2559,11 @@ if [ "$urlhaus_enabled" == "yes" ] ; then read -r -a urlhaus_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${urlhaus_dbs[@]}")" fi urlhaus_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a urlhaus_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2483,112 +2589,114 @@ if [ "$malwarepatrol_enabled" == "yes" ] ; then malwarepatrol_db="malwarepatrol.db" fi malwarepatrol_url="${malwarepatrol_url}?receipt=${malwarepatrol_receipt_code}&product=${malwarepatrol_product_code}&list=${malwarepatrol_list}" -else +elif [ "$remove_disabled_databases" == "yes" ] ; then malwarepatrol_remove_dbs=( "malwarepatrol.db" ) fi ############################################################################################ # CLEANUP UNUSED DATABASES, eg when downgrading a database rating or disabling a database -if [ -n "${sanesecurity_remove_dbs[0]}" ] ; then - for db_file in "${sanesecurity_remove_dbs[@]}" ; do - if [ -f "${work_dir_sanesecurity}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_sanesecurity}/${db_file}" - rm -f "${work_dir_sanesecurity}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${securiteinfo_remove_dbs[0]}" ] ; then - for db_file in "${securiteinfo_remove_dbs[@]}" ; do - if [ -f "${work_dir_securiteinfo}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_securiteinfo}/${db_file}" - rm -f "${work_dir_securiteinfo}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${linuxmalwaredetect_remove_dbs[0]}" ] ; then - for db_file in "${linuxmalwaredetect_remove_dbs[@]}" ; do - if [ -f "${work_dir_linuxmalwaredetect}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_linuxmalwaredetect}/${db_file}" - rm -f "${work_dir_linuxmalwaredetect}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${interserver_remove_dbs[0]}" ] ; then - for db_file in "${interserver_remove_dbs[@]}" ; do - if [ -f "${work_dir_interserver}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_interserver}/${db_file}" - rm -f "${work_dir_interserver}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${malwareexpert_remove_dbs[0]}" ] ; then - for db_file in "${malwareexpert_remove_dbs[@]}" ; do - if [ -f "${work_dir_malwareexpert}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_malwareexpert}/${db_file}" - rm -f "${work_dir_malwareexpert}/${db_file}" +if [ "$remove_disabled_databases" == "yes" ] ; then + if [ -n "${sanesecurity_remove_dbs[0]}" ] ; then + for db_file in "${sanesecurity_remove_dbs[@]}" ; do + if [ -f "${work_dir_sanesecurity}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_sanesecurity}/${db_file}" + rm -f "${work_dir_sanesecurity}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${securiteinfo_remove_dbs[0]}" ] ; then + for db_file in "${securiteinfo_remove_dbs[@]}" ; do + if [ -f "${work_dir_securiteinfo}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_securiteinfo}/${db_file}" + rm -f "${work_dir_securiteinfo}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${yararulesproject_remove_dbs[0]}" ] ; then - for db_file in "${yararulesproject_remove_dbs[@]}" ; do - if echo "$db_file" | $grep_bin -q "/" ; then - yr_dir="/$(echo "$db_file" | cut -d "/" -f 1)" - db_file="$(echo "$db_file" | cut -d "/" -f 2)" - else - yr_dir="" - fi - if [ -f "${work_dir_yararulesproject}/${yr_dir}${db_file}" ] ; then - echo "Removing unused file: ${work_dir_yararulesproject}/${db_file}" - rm -f "${work_dir_yararulesproject}/${db_file}" + if [ -n "${linuxmalwaredetect_remove_dbs[0]}" ] ; then + for db_file in "${linuxmalwaredetect_remove_dbs[@]}" ; do + if [ -f "${work_dir_linuxmalwaredetect}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_linuxmalwaredetect}/${db_file}" + rm -f "${work_dir_linuxmalwaredetect}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${interserver_remove_dbs[0]}" ] ; then + for db_file in "${interserver_remove_dbs[@]}" ; do + if [ -f "${work_dir_interserver}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_interserver}/${db_file}" + rm -f "${work_dir_interserver}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${urlhaus_remove_dbs[0]}" ] ; then - for db_file in "${urlhaus_remove_dbs[@]}" ; do - if [ -f "${work_dir_urlhaus}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_urlhaus}/${db_file}" - rm -f "${work_dir_urlhaus}/${db_file}" + if [ -n "${malwareexpert_remove_dbs[0]}" ] ; then + for db_file in "${malwareexpert_remove_dbs[@]}" ; do + if [ -f "${work_dir_malwareexpert}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_malwareexpert}/${db_file}" + rm -f "${work_dir_malwareexpert}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${yararulesproject_remove_dbs[0]}" ] ; then + for db_file in "${yararulesproject_remove_dbs[@]}" ; do + if echo "$db_file" | $grep_bin -q "/" ; then + yr_dir="/$(echo "$db_file" | cut -d "/" -f 1)" + db_file="$(echo "$db_file" | cut -d "/" -f 2)" + else + yr_dir="" + fi + if [ -f "${work_dir_yararulesproject}/${yr_dir}${db_file}" ] ; then + echo "Removing unused file: ${work_dir_yararulesproject}/${db_file}" + rm -f "${work_dir_yararulesproject}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${malwarepatrol_remove_dbs[0]}" ] ; then - for db_file in "${malwarepatrol_remove_dbs[@]}" ; do - if [ -f "${work_dir_malwarepatrol}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_malwarepatrol}/${db_file}" - rm -f "${work_dir_malwarepatrol}/${db_file}" + if [ -n "${urlhaus_remove_dbs[0]}" ] ; then + for db_file in "${urlhaus_remove_dbs[@]}" ; do + if [ -f "${work_dir_urlhaus}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_urlhaus}/${db_file}" + rm -f "${work_dir_urlhaus}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${malwarepatrol_remove_dbs[0]}" ] ; then + for db_file in "${malwarepatrol_remove_dbs[@]}" ; do + if [ -f "${work_dir_malwarepatrol}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_malwarepatrol}/${db_file}" + rm -f "${work_dir_malwarepatrol}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done fi ############################################################################################ @@ -2631,16 +2739,17 @@ fi # Check to see if the working directories have been created. If not, create them. Otherwise, ignore and proceed with script. xshok_mkdir_ownership "$work_dir" -xshok_mkdir_ownership "$work_dir_securiteinfo" -xshok_mkdir_ownership "$work_dir_malwarepatrol" -xshok_mkdir_ownership "$work_dir_linuxmalwaredetect" +xshok_mkdir_ownership "$work_dir_gpg" +xshok_mkdir_ownership "$work_dir_add" +xshok_mkdir_ownership "$work_dir_pid" xshok_mkdir_ownership "$work_dir_interserver" +xshok_mkdir_ownership "$work_dir_linuxmalwaredetect" xshok_mkdir_ownership "$work_dir_malwareexpert" +xshok_mkdir_ownership "$work_dir_malwarepatrol" xshok_mkdir_ownership "$work_dir_sanesecurity" -xshok_mkdir_ownership "$work_dir_yararulesproject" +xshok_mkdir_ownership "$work_dir_securiteinfo" xshok_mkdir_ownership "$work_dir_work_configs" -xshok_mkdir_ownership "${work_dir_gpg}" -xshok_mkdir_ownership "$work_dir_add" +xshok_mkdir_ownership "$work_dir_yararulesproject" # Set secured access permissions to the GPG directory perms chmod -f 0700 "${work_dir_gpg}" @@ -2879,30 +2988,42 @@ if [ "$sanesecurity_enabled" == "yes" ] ; then echo "$current_time" > "${work_dir_work_configs}/last-ss-update.txt" xshok_pretty_echo_and_log "Sanesecurity Database & GPG Signature File Updates" "=" xshok_pretty_echo_and_log "Checking for Sanesecurity updates..." - if [ -n "$dig_bin" ] ; then - # shellcheck disable=SC2086 + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 sanesecurity_mirror_ips="$($dig_bin $dig_proxy +ignore +short "$sanesecurity_url")" - else - sanesecurity_mirror_ips="" - fi - # Add fallback to host if dig returns no records or dig is not used + else + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + fi + # Add fallback if no records are returned if [ ${#sanesecurity_mirror_ips} -lt 1 ] ; then - # shellcheck disable=SC2086 - sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($dig_bin $dig_proxy +ignore +short "$sanesecurity_url")" + else + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + fi fi if [ ${#sanesecurity_mirror_ips} -ge 1 ] ; then for sanesecurity_mirror_ip in $sanesecurity_mirror_ips ; do - if [ -n "$dig_bin" ] ; then - # shellcheck disable=SC2086 + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 sanesecurity_mirror_name="$($dig_bin $dig_proxy +short -x "$sanesecurity_mirror_ip" | command "$sed_bin" 's/\.$//')" - else - sanesecurity_mirror_name="" - fi - # Add fallback to host if dig returns no records or dig is not used + else + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + fi + # Add fallback if no records are returned if [ -z "$sanesecurity_mirror_name" ] ; then - # shellcheck disable=SC2086 - sanesecurity_mirror_name="$($host_bin $host_proxy "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($dig_bin $dig_proxy +short -x "$sanesecurity_mirror_ip" | command "$sed_bin" 's/\.$//')" + else + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + fi fi sanesecurity_mirror_site_info="$sanesecurity_mirror_name $sanesecurity_mirror_ip" xshok_pretty_echo_and_log "Sanesecurity mirror site used: ${sanesecurity_mirror_site_info}" diff --git a/config/master.conf b/config/master.conf index be6de532..4a7fb8b2 100644 --- a/config/master.conf +++ b/config/master.conf @@ -431,7 +431,6 @@ cve_rules/CVE-2018-4878.yar|MEDIUM email/bank_rule.yar|MEDIUM email/EMAIL_Cryptowall.yar|MEDIUM email/Email_fake_it_maintenance_bulletin.yar|MEDIUM -email/Email_generic_phishing.yar|MEDIUM email/Email_quota_limit_warning.yar|MEDIUM email/email_Ukraine_BE_powerattack.yar|MEDIUM email/scam.yar|MEDIUM @@ -439,16 +438,17 @@ email/scam.yar|MEDIUM packers/JJencode.yar|MEDIUM # HIGH # Used with documents to find if they have been crafted to leverage malicious code. +email/Email_generic_phishing.yar|HIGH maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH maldocs/Maldoc_APT10_MenuPass.yar|HIGH -maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH +maldocs/Maldoc_APT19_CVE-2017-0199.yar|HIGH maldocs/Maldoc_Contains_VBE_File.yar|HIGH maldocs/Maldoc_CVE_2017_11882.yar|HIGH maldocs/Maldoc_CVE_2017_8759.yar|HIGH maldocs/Maldoc_CVE-2017-0199.yar|HIGH maldocs/Maldoc_DDE.yar|HIGH maldocs/Maldoc_Dridex.yar|HIGH -maldocs/Maldoc_hancitor_dropper|HIGH +maldocs/Maldoc_hancitor_dropper.yar|HIGH maldocs/Maldoc_Hidden_PE_file.yar|HIGH maldocs/Maldoc_malrtf_ole2link.yar|HIGH maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH @@ -583,10 +583,15 @@ min_sleep_time="60" # Default minimum is 60 seconds (1 minute). #tar_bin="/usr/bin/tar" #uname_bin="/usr/bin/uname" #wget_bin="/usr/bin/wget" +#dig_bin="usr/bin/dig" +#host_bin="/usr/bin/host" # force wget, by default curl is used when curl and wget is present. force_wget="no" +# force host, by default dig is used when dig and host is present. +force_host="no" + # GnuPG / Signature verification # To disable usage of gpg, set the following variable to "no". # If gpg_bin cannot be found, enable_gpg will automatically disable @@ -648,7 +653,7 @@ keep_db_backup="no" remove_bad_database="yes" # When a database is disabled we will remove the associated database files. -remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. +remove_disabled_databases="yes" # Default is "yes" # Enable SELinux fixes, ie. running restorecon on the database files. # **Run the following command as root to enable clamav selinux support** @@ -731,7 +736,7 @@ yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" # ======================== # DO NOT EDIT ! -config_version="94" +config_version="95" ################################################################################ # diff --git a/config/user.conf b/config/user.conf index 8e957456..6b75b7bd 100644 --- a/config/user.conf +++ b/config/user.conf @@ -21,6 +21,9 @@ # Please note, it is your responsibility to manage the contents of this file. # Values provided here are just examples, feel free to use any values from the main config file. +# When a database is disabled we will remove the associated database files. +# remove_disabled_databases="yes" # Default is "yes" + # Malware Expert 2020 (non-free) clamav signatures # set to no to enable the commercial subscription databases #malwareexpert_serial_key="YOUR-SERIAL-KEY"