From 2a2422c18d4c25c4811559d19c9cdf4bf20f19f4 Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Sun, 13 Dec 2020 03:09:18 +0200 Subject: [PATCH 01/11] change yararule email/Email_generic_phishing.yar to HIGH fixes #344 --- config/master.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/master.conf b/config/master.conf index be6de532..fb7fef00 100644 --- a/config/master.conf +++ b/config/master.conf @@ -431,7 +431,6 @@ cve_rules/CVE-2018-4878.yar|MEDIUM email/bank_rule.yar|MEDIUM email/EMAIL_Cryptowall.yar|MEDIUM email/Email_fake_it_maintenance_bulletin.yar|MEDIUM -email/Email_generic_phishing.yar|MEDIUM email/Email_quota_limit_warning.yar|MEDIUM email/email_Ukraine_BE_powerattack.yar|MEDIUM email/scam.yar|MEDIUM @@ -439,6 +438,7 @@ email/scam.yar|MEDIUM packers/JJencode.yar|MEDIUM # HIGH # Used with documents to find if they have been crafted to leverage malicious code. +email/Email_generic_phishing.yar|HIGH maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH maldocs/Maldoc_APT10_MenuPass.yar|HIGH maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH From 4194150bb94801aaaae0f37556b44b7b8b81d8cc Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Sun, 13 Dec 2020 08:02:57 +0200 Subject: [PATCH 02/11] Fix Disabled databases removed when "$remove_disabled_databases" is set to "no" fixes #345 --- README.md | 5 + clamav-unofficial-sigs.sh | 294 +++++++++++++++++++++----------------- 2 files changed, 168 insertions(+), 131 deletions(-) diff --git a/README.md b/README.md index 1d02c3e3..1d8b0ea1 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,11 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] ## Change Log +### Version 7.2.1 (XX December 2020) + +* Fix Disabled databases removed when "$remove_disabled_databases" is set to "no" +* Change yararule email/Email_generic_phishing.yar to HIGH + ### Version 7.2 (07 December 2020) * Database rating downgrades are now supported, eg, changing from HIGH to LOW will remove the HIGH and MEDIUM rated databases. diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh index 13b47a9d..a3e9c29f 100644 --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -1619,7 +1619,7 @@ else xshok_pretty_echo_and_log "WARNING: ${config_dir}/user.conf is not readable" fi -# Solaris command -v function returns garbage when the program is not found +# Solaris command -v function returns garbage when the program is not found k # only define the new command -v function if running under Solaris if [ "$(uname -s)" == "SunOS" ] ; then function which() { @@ -2280,39 +2280,48 @@ else enable_yararules="no" fi +############################################################################################ # Generate the signature databases +############################################################################################ if [ "$sanesecurity_enabled" == "yes" ] ; then if [ -n "$sanesecurity_dbs" ] ; then if [ -n "$sanesecurity_dbs_rating" ] ; then temp_db="$(xshok_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$sanesecurity_dbs_rating" "${sanesecurity_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${sanesecurity_dbs[@]}")" + fi fi sanesecurity_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a sanesecurity_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${sanesecurity_dbs[@]}")" fi sanesecurity_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a sanesecurity_remove_dbs <<< "$temp_remove_db" fi - ############################################################################################ if [ "$securiteinfo_enabled" == "yes" ] ; then if [ -n "$securiteinfo_dbs" ] ; then if [ -n "$securiteinfo_dbs_rating" ] ; then temp_db="$(xshok_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_dbs[@]}")" + fi fi securiteinfo_dbs=( ) if [ -n "$temp_db" ] ; then @@ -2320,30 +2329,34 @@ if [ "$securiteinfo_enabled" == "yes" ] ; then read -r -a securiteinfo_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${securiteinfo_dbs[@]}")" fi securiteinfo_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a securiteinfo_remove_dbs <<< "$temp_remove_db" fi if [ "$securiteinfo_enabled" == "yes" ] ; then if [ -n "$securiteinfo_premium_dbs" ] && [ "$securiteinfo_premium" == "yes" ] ; then if [ -n "$securiteinfo_dbs_rating" ] ; then temp_db="$(xshok_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$securiteinfo_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${securiteinfo_premium_dbs[@]}")" + fi fi if [ -n "$temp_db" ] ; then read -r -a securiteinfo_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${securiteinfo_premium_dbs[@]}")" fi -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a securiteinfo_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2351,21 +2364,25 @@ if [ "$linuxmalwaredetect_enabled" == "yes" ] ; then if [ -n "$linuxmalwaredetect_dbs" ] ; then if [ -n "$linuxmalwaredetect_dbs_rating" ] ; then temp_db="$(xshok_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$linuxmalwaredetect_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${linuxmalwaredetect_dbs[@]}")" + fi fi linuxmalwaredetect_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a linuxmalwaredetect_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${linuxmalwaredetect_dbs[@]}")" fi linuxmalwaredetect_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a linuxmalwaredetect_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2373,21 +2390,25 @@ if [ "$interserver_enabled" == "yes" ] ; then if [ -n "$interserver_dbs" ] ; then if [ -n "$interserver_dbs_rating" ] ; then temp_db="$(xshok_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$interserver_dbs_rating" "${interserver_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${interserver_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${interserver_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${interserver_dbs[@]}")" + fi fi interserver_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a interserver_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${interserver_dbs[@]}")" fi interserver_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a interserver_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2395,21 +2416,25 @@ if [ "$malwareexpert_enabled" == "yes" ] ; then if [ -n "$malwareexpert_dbs" ] ; then if [ -n "$malwareexpert_dbs_rating" ] ; then temp_db="$(xshok_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$malwareexpert_dbs_rating" "${malwareexpert_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${malwareexpert_dbs[@]}")" + fi fi malwareexpert_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a malwareexpert_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${malwareexpert_dbs[@]}")" fi malwareexpert_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a malwareexpert_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2417,35 +2442,40 @@ if [ "$yararulesproject_enabled" == "yes" ] ; then if [ -n "$yararulesproject_dbs" ] ; then if [ -n "$yararulesproject_dbs_rating" ] ; then temp_db="$(xshok_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$yararulesproject_dbs_rating" "${yararulesproject_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${yararulesproject_dbs[@]}")" + fi fi yararulesproject_dbs=( ) if [ -n "$temp_db" ] ; then read -r -a yararulesproject_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${yararulesproject_dbs[@]}")" fi yararulesproject_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a yararulesproject_remove_dbs <<< "$temp_remove_db" fi - - - ############################################################################################ if [ "$urlhaus_enabled" == "yes" ] ; then if [ -n "$urlhaus_dbs" ] ; then if [ -n "$urlhaus_dbs_rating" ] ; then temp_db="$(xshok_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$urlhaus_dbs_rating" "${urlhaus_dbs[@]}")" + fi else temp_db="$(xshok_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" - temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" + if [ "$remove_disabled_databases" == "yes" ] ; then + temp_remove_db="$(xshok_remove_database "$default_dbs_rating" "${urlhaus_dbs[@]}")" + fi fi urlhaus_dbs=( ) if [ -n "$temp_db" ] ; then @@ -2453,11 +2483,11 @@ if [ "$urlhaus_enabled" == "yes" ] ; then read -r -a urlhaus_dbs <<< "$temp_db" fi fi -else +elif [ "$remove_disabled_databases" == "yes" ] ; then temp_remove_db="$(xshok_remove_database "DISABLED" "${urlhaus_dbs[@]}")" fi urlhaus_remove_dbs=( ) -if [ -n "$temp_remove_db" ] ; then +if [ -n "$temp_remove_db" ] && [ "$remove_disabled_databases" == "yes" ] ; then read -r -a urlhaus_remove_dbs <<< "$temp_remove_db" fi ############################################################################################ @@ -2483,112 +2513,114 @@ if [ "$malwarepatrol_enabled" == "yes" ] ; then malwarepatrol_db="malwarepatrol.db" fi malwarepatrol_url="${malwarepatrol_url}?receipt=${malwarepatrol_receipt_code}&product=${malwarepatrol_product_code}&list=${malwarepatrol_list}" -else +elif [ "$remove_disabled_databases" == "yes" ] ; then malwarepatrol_remove_dbs=( "malwarepatrol.db" ) fi ############################################################################################ # CLEANUP UNUSED DATABASES, eg when downgrading a database rating or disabling a database -if [ -n "${sanesecurity_remove_dbs[0]}" ] ; then - for db_file in "${sanesecurity_remove_dbs[@]}" ; do - if [ -f "${work_dir_sanesecurity}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_sanesecurity}/${db_file}" - rm -f "${work_dir_sanesecurity}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${securiteinfo_remove_dbs[0]}" ] ; then - for db_file in "${securiteinfo_remove_dbs[@]}" ; do - if [ -f "${work_dir_securiteinfo}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_securiteinfo}/${db_file}" - rm -f "${work_dir_securiteinfo}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${linuxmalwaredetect_remove_dbs[0]}" ] ; then - for db_file in "${linuxmalwaredetect_remove_dbs[@]}" ; do - if [ -f "${work_dir_linuxmalwaredetect}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_linuxmalwaredetect}/${db_file}" - rm -f "${work_dir_linuxmalwaredetect}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${interserver_remove_dbs[0]}" ] ; then - for db_file in "${interserver_remove_dbs[@]}" ; do - if [ -f "${work_dir_interserver}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_interserver}/${db_file}" - rm -f "${work_dir_interserver}/${db_file}" - fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" - fi - done -fi -if [ -n "${malwareexpert_remove_dbs[0]}" ] ; then - for db_file in "${malwareexpert_remove_dbs[@]}" ; do - if [ -f "${work_dir_malwareexpert}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_malwareexpert}/${db_file}" - rm -f "${work_dir_malwareexpert}/${db_file}" +if [ "$remove_disabled_databases" == "yes" ] ; then + if [ -n "${sanesecurity_remove_dbs[0]}" ] ; then + for db_file in "${sanesecurity_remove_dbs[@]}" ; do + if [ -f "${work_dir_sanesecurity}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_sanesecurity}/${db_file}" + rm -f "${work_dir_sanesecurity}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${securiteinfo_remove_dbs[0]}" ] ; then + for db_file in "${securiteinfo_remove_dbs[@]}" ; do + if [ -f "${work_dir_securiteinfo}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_securiteinfo}/${db_file}" + rm -f "${work_dir_securiteinfo}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${yararulesproject_remove_dbs[0]}" ] ; then - for db_file in "${yararulesproject_remove_dbs[@]}" ; do - if echo "$db_file" | $grep_bin -q "/" ; then - yr_dir="/$(echo "$db_file" | cut -d "/" -f 1)" - db_file="$(echo "$db_file" | cut -d "/" -f 2)" - else - yr_dir="" - fi - if [ -f "${work_dir_yararulesproject}/${yr_dir}${db_file}" ] ; then - echo "Removing unused file: ${work_dir_yararulesproject}/${db_file}" - rm -f "${work_dir_yararulesproject}/${db_file}" + if [ -n "${linuxmalwaredetect_remove_dbs[0]}" ] ; then + for db_file in "${linuxmalwaredetect_remove_dbs[@]}" ; do + if [ -f "${work_dir_linuxmalwaredetect}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_linuxmalwaredetect}/${db_file}" + rm -f "${work_dir_linuxmalwaredetect}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${interserver_remove_dbs[0]}" ] ; then + for db_file in "${interserver_remove_dbs[@]}" ; do + if [ -f "${work_dir_interserver}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_interserver}/${db_file}" + rm -f "${work_dir_interserver}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${urlhaus_remove_dbs[0]}" ] ; then - for db_file in "${urlhaus_remove_dbs[@]}" ; do - if [ -f "${work_dir_urlhaus}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_urlhaus}/${db_file}" - rm -f "${work_dir_urlhaus}/${db_file}" + if [ -n "${malwareexpert_remove_dbs[0]}" ] ; then + for db_file in "${malwareexpert_remove_dbs[@]}" ; do + if [ -f "${work_dir_malwareexpert}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_malwareexpert}/${db_file}" + rm -f "${work_dir_malwareexpert}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${yararulesproject_remove_dbs[0]}" ] ; then + for db_file in "${yararulesproject_remove_dbs[@]}" ; do + if echo "$db_file" | $grep_bin -q "/" ; then + yr_dir="/$(echo "$db_file" | cut -d "/" -f 1)" + db_file="$(echo "$db_file" | cut -d "/" -f 2)" + else + yr_dir="" + fi + if [ -f "${work_dir_yararulesproject}/${yr_dir}${db_file}" ] ; then + echo "Removing unused file: ${work_dir_yararulesproject}/${db_file}" + rm -f "${work_dir_yararulesproject}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done -fi -if [ -n "${malwarepatrol_remove_dbs[0]}" ] ; then - for db_file in "${malwarepatrol_remove_dbs[@]}" ; do - if [ -f "${work_dir_malwarepatrol}/${db_file}" ] ; then - echo "Removing unused file: ${work_dir_malwarepatrol}/${db_file}" - rm -f "${work_dir_malwarepatrol}/${db_file}" + if [ -n "${urlhaus_remove_dbs[0]}" ] ; then + for db_file in "${urlhaus_remove_dbs[@]}" ; do + if [ -f "${work_dir_urlhaus}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_urlhaus}/${db_file}" + rm -f "${work_dir_urlhaus}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - if [ -f "${clam_dbs}/${db_file}" ] ; then - echo "Removing unused file: ${clam_dbs}/${db_file}" - rm -f "${clam_dbs}/${db_file}" + if [ -n "${malwarepatrol_remove_dbs[0]}" ] ; then + for db_file in "${malwarepatrol_remove_dbs[@]}" ; do + if [ -f "${work_dir_malwarepatrol}/${db_file}" ] ; then + echo "Removing unused file: ${work_dir_malwarepatrol}/${db_file}" + rm -f "${work_dir_malwarepatrol}/${db_file}" + fi + if [ -f "${clam_dbs}/${db_file}" ] ; then + echo "Removing unused file: ${clam_dbs}/${db_file}" + rm -f "${clam_dbs}/${db_file}" + fi + done fi - done fi ############################################################################################ From 55ff73c999161b41f93eafe81f6f2dee2f1e6304 Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Sun, 13 Dec 2020 08:10:02 +0200 Subject: [PATCH 03/11] Incremented the config to version 95 --- README.md | 1 + config/master.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d8b0ea1..bca88af0 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Fix Disabled databases removed when "$remove_disabled_databases" is set to "no" * Change yararule email/Email_generic_phishing.yar to HIGH +* Incremented the config to version 95 ### Version 7.2 (07 December 2020) diff --git a/config/master.conf b/config/master.conf index fb7fef00..8df8bc38 100644 --- a/config/master.conf +++ b/config/master.conf @@ -731,7 +731,7 @@ yararulesproject_url="https://raw.githubusercontent.com/Yara-Rules/rules/master" # ======================== # DO NOT EDIT ! -config_version="94" +config_version="95" ################################################################################ # From 1606d5ae268b1e704000a236caa05b5a5a535c7f Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Sun, 13 Dec 2020 14:59:31 +0200 Subject: [PATCH 04/11] New config option: force_host, by default dig is used when dig and host is present. Refactor and correct assign and check Binaries/Commands --- README.md | 3 + clamav-unofficial-sigs.sh | 285 +++++++++++++++++++++++--------------- config/master.conf | 5 + 3 files changed, 184 insertions(+), 109 deletions(-) diff --git a/README.md b/README.md index bca88af0..a45e9abe 100644 --- a/README.md +++ b/README.md @@ -225,6 +225,9 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Fix Disabled databases removed when "$remove_disabled_databases" is set to "no" * Change yararule email/Email_generic_phishing.yar to HIGH * Incremented the config to version 95 +* New config option: force_host, by default dig is used when dig and host is present. +* Refactor and correct assign and check Binaries/Commands + ### Version 7.2 (07 December 2020) diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh index a3e9c29f..0074dc34 100644 --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -1628,82 +1628,21 @@ if [ "$(uname -s)" == "SunOS" ] ; then } fi -# Default Binaries & Commands -uname_bin="$(command -v uname 2> /dev/null)" -clamscan_bin="$(command -v clamscan 2> /dev/null)" -rsync_bin="$(command -v rsync 2> /dev/null)" - -# Detect supprot for gnu grep -if [ -x /usr/gnu/bin/grep ] ; then - grep_bin="/usr/gnu/bin/grep" -else - grep_bin="$(command -v grep 2> /dev/null)" -fi -if [ -z "$grep_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: grep command is missing" - exit 1 - fi -# Detect support for sed or gsed +# Detect support for sed or gsed, this is required to be known upfront, due to how the configs are read. if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then - sed_executable="gsed" -else - sed_executable="sed" -fi -if [ -z "$sed_bin" ]; then - sed_bin="$(command -v "$sed_executable" 2> /dev/null)" - else + sed_bin="$(command -v gsed 2> /dev/null)" + if [ -z "$sed_bin" ]; then xshok_pretty_echo_and_log "ERROR: gsed (gnu sed) is missing" exit 1 -fi -# Detect support for tar or gtar -if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then - tar_executable="gtar" + fi else - tar_executable="tar" -fi -if [ -z "$tar_bin" ]; then - tar_bin="$(command -v "$tar_executable" 2> /dev/null)" - else - xshok_pretty_echo_and_log "ERROR: gtar (gnu tar) is missing" + sed_bin="$(command -v sed 2> /dev/null)" + if [ -z "$sed_bin" ]; then + xshok_pretty_echo_and_log "ERROR: sed is missing" exit 1 -fi -# Detect support for curl -if [ -z "$curl_bin" ]; then - curl_bin="$(command -v curl 2> /dev/null)" -fi -# Detect support for wget -if [ -z "$wget_bin" ]; then - if [ -x /usr/sfw/bin/wget ] ; then - wget_bin="/usr/sfw/bin/wget" - else - wget_bin="$(command -v wget 2> /dev/null)" fi fi -if [ -z "$wget_bin" ] && [ -z "$curl_bin" ]; then - curl_bin="$(command -v curl 2> /dev/null)" - if [ -z "$curl_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: both wget and curl commands are missing, One of them is required" - exit 1 - fi -fi -if [ -n "$wget_bin" ] ; then - # wget compression support - if $wget_bin --help | $grep_bin -q "compression=TYPE" ; then - wget_compression="--compression=auto" - else - wget_compression="" - fi -fi -# Detect support for dig or host -dig_bin="$(command -v dig 2> /dev/null)" -if [ -n "$dig_bin" ] ; then - host_bin="$(command -v host 2> /dev/null)" - if [ -z "$host_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: both dig and host commands are missing, One of them is required" - exit 1 - fi -fi # Detect if terminal if [ -t 1 ] ; then # Set fonts @@ -1722,7 +1661,6 @@ else force_verbose="no" fi - # Generic command line options while true ; do case "${1}" in @@ -1995,58 +1933,187 @@ fi # dont assign , but remove trailing / shopt -s extglob; clam_dbs="${clam_dbs%%+(/)}" -# Force wget over curl. -if [ -n "$wget_bin" ] && [ "$force_wget" == "yes" ] ; then - xshok_pretty_echo_and_log "NOTICE: Forcing wget" - curl_bin="" -fi +##################################################################################################### +# Assign and Check Binaries/Commands +# clamscan_bin +if [ -z "$clamscan_bin" ] && [ "${1}" != "--remove-script" ] ; then + clamscan_bin="$(command -v clamscan 2> /dev/null)" + if [ -z "$clamscan_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: clamscan binary (clamscan_bin) not found" + exit 1 + fi +elif [[ "$clamscan_bin" =~ "/" ]] && [ "${1}" != "--remove-script" ] ; then + if [ ! -x "$clamscan_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: clamscan_bin (${clamscan_bin})is not executable" + exit 1 -# SANITY checks -# Check default Binaries & Commands are defined -if [ "$reload_dbs" == "yes" ] ; then - if [ -z "$clamd_reload_opt" ] ; then - xshok_pretty_echo_and_log "ERROR: Missing clamd_reload_opt" - exit 1 - fi + fi fi +# uname_bin if [ -z "$uname_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: uname (uname_bin) not found" - exit 1 -fi -if [ -z "$clamscan_bin" ] ; then - if [ "${1}" != "--remove-script" ] ; then - xshok_pretty_echo_and_log "ERROR: clamscan binary (clamscan_bin) not found" + uname_bin="$(command -v uname 2> /dev/null)" + if [ -z "$uname_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: uname binary (uname_bin) not found" + exit 1 + fi +elif [[ "$uname_bin" =~ "/" ]] ; then + if [ ! -x "$uname_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: uname_bin (${uname_bin}) is not executable" + exit 1 + fi - exit 1 fi +# rsync_bin if [ -z "$rsync_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: rsync binary (rsync_bin) not found" - exit 1 + rsync_bin="$(command -v rsync 2> /dev/null)" + if [ -z "$rsync_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: rsync binary (rsync_bin) not found" + exit 1 + fi +elif [[ "$rsync_bin" =~ "/" ]] ; then + if [ ! -x "$rsync_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: rsync_bin (${rsync_bin}) is not executable" + exit 1 + + fi fi -if [ -z "$curl_bin" ] ; then - if [ -z "$wget_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: wget and curl binaries not found, script requires either wget or curl" - exit 1 - fi +# tar_bin +if [ -z "$tar_bin" ] ; then + # Detect support for tar or gtar + if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then + tar_bin="$(command -v gtar 2> /dev/null)" + else + tar_bin="$(command -v tar 2> /dev/null)" + fi + if [ -z "$tar_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: tar or gtar binary (tar_bin) not found" + exit 1 + fi +elif [[ "$tar_bin" =~ "/" ]] ; then + if [ ! -x "$tar_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: tar_bin (${tar_bin}) is not executable" + exit 1 + + fi fi -# Check if GPG is enabled and the binary is found +# gpg_bin if [ "$enable_gpg" == "yes" ] ; then - if [ -z "$gpg_bin" ] ; then - if [ -x /opt/csw/bin/gpg ] ; then - gpg_bin="/opt/csw/bin/gpg" + if [ -z "$gpg_bin" ] ; then + if [ -x "/opt/csw/bin/gpg" ] ; then + gpg_bin="/opt/csw/bin/gpg" + else + gpg_bin="$(command -v gpg 2> /dev/null)" + if [ -z "$gpg_bin" ] ; then + enable_gpg="no" + fi + fi + elif [[ "$gpg_bin" =~ "/" ]] ; then + if [ ! -x "$gpg_bin" ] ; then + enable_gpg="no" + fi + fi +fi +# grep_bin +if [ -z "$grep_bin" ] ; then + # Detect support for grep or gnugrep + if [ -x /usr/gnu/bin/grep ] ; then + grep_bin="/usr/gnu/bin/grep" else - gpg_bin="$(command -v gpg 2> /dev/null)" + grep_bin="$(command -v grep 2> /dev/null)" + if [ -z "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep binary (grep_bin) not found" + exit 1 + fi fi - if [ -z "$gpg_bin" ] ; then - gpg_bin="$(command -v gpg2 2> /dev/null)" +elif [[ "$grep_bin" =~ "/" ]] ; then + if [ ! -x "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep (${grep_bin}) is not executable" + exit 1 + + fi +fi +# curl_bin +if [ -z "$curl_bin" ] ; then + curl_bin="$(command -v curl 2> /dev/null)" +elif [[ "$curl_bin" =~ "/" ]] ; then + if [ ! -x "$curl_bin" ] ; then + curl_bin="" + fi +fi +# wget_bin +if [ -z "$curl_bin" ] || [ "$force_wget" == "yes" ] ; then + if [ -z "$wget_bin" ] ; then + if [ -x /usr/sfw/bin/wget ] ; then + wget_bin="/usr/sfw/bin/wget" + else + wget_bin="$(command -v wget 2> /dev/null)" + if [ -z "$wget_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: both wget (wget_bin) and curl (curl_bin) commands are missing, One of them is required" + exit 1 + fi + fi + elif [[ "$wget_bin" =~ "/" ]] ; then + if [ ! -x "$wget_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: wget_bin (${wget_bin}) is not executable" + exit 1 + + fi + fi + if [ -n "$wget_bin" ] ; then + # wget compression support + if $wget_bin --help 2> /dev/null | $grep_bin -q "compression=TYPE" 2> /dev/null ; then + wget_compression="--compression=auto" + else + wget_compression="" + fi + fi +else + wget_bin="" + wget_compression="" + force_wget="no" +fi + + +# dig_bin +if [ -z "$dig_bin" ] ; then + curl_bin="$(command -v dig 2> /dev/null)" +elif [[ "$dig_bin" =~ "/" ]] ; then + if [ ! -x "$dig_bin" ] ; then + dig_bin="" + fi +fi +# wget_bin +if [ -z "$dig_bin" ] || [ "$force_host" == "yes" ] ; then + if [ -z "$host_bin" ] ; then + host_bin="$(command -v host 2> /dev/null)" + if [ -z "$wget_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: both host (host_bin) and dig (dig_bin) commands are missing, One of them is required" + exit 1 + fi + elif [[ "$host_bin" =~ "/" ]] ; then + if [ ! -x "$host_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: host_bin (${host_bin}) is not executable" + exit 1 + + fi + fi +else + host_bin="" + force_host="no" +fi + + + +##################################################################################################### + + +# SANITY checks +# Check default Binaries & Commands are defined +if [ "$reload_dbs" == "yes" ] ; then + if [ -z "$clamd_reload_opt" ] ; then + xshok_pretty_echo_and_log "ERROR: Missing clamd_reload_opt" + exit 1 fi - fi - if [ -z "$gpg_bin" ] ; then - enable_gpg="no" - fi - if [ ! -x "$gpg_bin" ] ; then - enable_gpg="no" - fi fi if [ "$enable_gpg" != "yes" ] ; then xshok_pretty_echo_and_log "NOTICE: GnuPG / signature verification disabled" diff --git a/config/master.conf b/config/master.conf index 8df8bc38..548cec78 100644 --- a/config/master.conf +++ b/config/master.conf @@ -583,10 +583,15 @@ min_sleep_time="60" # Default minimum is 60 seconds (1 minute). #tar_bin="/usr/bin/tar" #uname_bin="/usr/bin/uname" #wget_bin="/usr/bin/wget" +#dig_bin="usr/bin/dig" +#host_bin="/usr/bin/host" # force wget, by default curl is used when curl and wget is present. force_wget="no" +# force host, by default dig is used when dig and host is present. +force_host="no" + # GnuPG / Signature verification # To disable usage of gpg, set the following variable to "no". # If gpg_bin cannot be found, enable_gpg will automatically disable From 528f099ad4a82abd96930784e321e0359e8b038c Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Sun, 13 Dec 2020 21:14:34 +0200 Subject: [PATCH 05/11] fix #342 --- clamav-unofficial-sigs.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh index 0074dc34..7751cfa1 100644 --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -2166,9 +2166,9 @@ if [ "$enable_locking" == "yes" ] ; then else xshok_create_pid_file "$pid_file_fullpath" fi - else - xshok_create_pid_file "$pid_file_fullpath" - fi + else + xshok_create_pid_file "$pid_file_fullpath" + fi # Run this wehen the script exits trap -- "rm -f $pid_file_fullpath" EXIT fi @@ -2730,16 +2730,17 @@ fi # Check to see if the working directories have been created. If not, create them. Otherwise, ignore and proceed with script. xshok_mkdir_ownership "$work_dir" -xshok_mkdir_ownership "$work_dir_securiteinfo" -xshok_mkdir_ownership "$work_dir_malwarepatrol" -xshok_mkdir_ownership "$work_dir_linuxmalwaredetect" +xshok_mkdir_ownership "$work_dir_gpg" +xshok_mkdir_ownership "$work_dir_add" +xshok_mkdir_ownership "$work_dir_pid" xshok_mkdir_ownership "$work_dir_interserver" +xshok_mkdir_ownership "$work_dir_linuxmalwaredetect" xshok_mkdir_ownership "$work_dir_malwareexpert" +xshok_mkdir_ownership "$work_dir_malwarepatrol" xshok_mkdir_ownership "$work_dir_sanesecurity" -xshok_mkdir_ownership "$work_dir_yararulesproject" +xshok_mkdir_ownership "$work_dir_securiteinfo" xshok_mkdir_ownership "$work_dir_work_configs" -xshok_mkdir_ownership "${work_dir_gpg}" -xshok_mkdir_ownership "$work_dir_add" +xshok_mkdir_ownership "$work_dir_yararulesproject" # Set secured access permissions to the GPG directory perms chmod -f 0700 "${work_dir_gpg}" From cf2c2a39228b0278184ed7b93fe6db0cf69aa0bd Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 01:07:27 +0200 Subject: [PATCH 06/11] Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 --- README.md | 1 + config/master.conf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a45e9abe..a60a0657 100644 --- a/README.md +++ b/README.md @@ -227,6 +227,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Incremented the config to version 95 * New config option: force_host, by default dig is used when dig and host is present. * Refactor and correct assign and check Binaries/Commands +* Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 ### Version 7.2 (07 December 2020) diff --git a/config/master.conf b/config/master.conf index 548cec78..444ba432 100644 --- a/config/master.conf +++ b/config/master.conf @@ -441,14 +441,14 @@ packers/JJencode.yar|MEDIUM email/Email_generic_phishing.yar|HIGH maldocs/Maldoc_APT_OLE_JSRat.yar|HIGH maldocs/Maldoc_APT10_MenuPass.yar|HIGH -maldocs/Maldoc_APT19_CVE-2017-1099.yar|HIGH +maldocs/Maldoc_APT19_CVE-2017-0199.yar|HIGH maldocs/Maldoc_Contains_VBE_File.yar|HIGH maldocs/Maldoc_CVE_2017_11882.yar|HIGH maldocs/Maldoc_CVE_2017_8759.yar|HIGH maldocs/Maldoc_CVE-2017-0199.yar|HIGH maldocs/Maldoc_DDE.yar|HIGH maldocs/Maldoc_Dridex.yar|HIGH -maldocs/Maldoc_hancitor_dropper|HIGH +maldocs/Maldoc_hancitor_dropper.yar|HIGH maldocs/Maldoc_Hidden_PE_file.yar|HIGH maldocs/Maldoc_malrtf_ole2link.yar|HIGH maldocs/Maldoc_MIME_ActiveMime_b64.yar|HIGH From 03f1e6dfb0a5a8c341d95cb92fb0ddf4db76207d Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 01:09:20 +0200 Subject: [PATCH 07/11] correct breaking errors --- clamav-unofficial-sigs.sh | 73 ++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 32 deletions(-) mode change 100644 => 100755 clamav-unofficial-sigs.sh diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh old mode 100644 new mode 100755 index 7751cfa1..83bc7b6c --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -1628,18 +1628,46 @@ if [ "$(uname -s)" == "SunOS" ] ; then } fi -# Detect support for sed or gsed, this is required to be known upfront, due to how the configs are read. -if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then - sed_bin="$(command -v gsed 2> /dev/null)" - if [ -z "$sed_bin" ]; then - xshok_pretty_echo_and_log "ERROR: gsed (gnu sed) is missing" +# sed_bin, this is required to be known upfront, due to how the configs are read. +if [ -z "$sed_bin" ] ; then + # Detect support for sed or gsed + if [ "$(uname -s)" == "Darwin" ] || [ "$(uname -s)" == "OpenBSD" ] || [ "$(uname -s)" == "NetBSD" ] || [ "$(uname -s)" == "FreeBSD" ] ; then + sed_bin="$(command -v gsed 2> /dev/null)" + if [ -z "$sed_bin" ]; then + xshok_pretty_echo_and_log "ERROR: gsed (gnu sed) is missing" + exit 1 + fi + else + sed_bin="$(command -v sed 2> /dev/null)" + if [ -z "$sed_bin" ]; then + xshok_pretty_echo_and_log "ERROR: sed is missing" + exit 1 + fi + fi +elif [[ "$sed_bin" =~ "/" ]] ; then + if [ ! -x "$sed_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: sed (${sed_bin}) is not executable" exit 1 + fi -else - sed_bin="$(command -v sed 2> /dev/null)" - if [ -z "$sed_bin" ]; then - xshok_pretty_echo_and_log "ERROR: sed is missing" +fi +# grep_bin, this is required to be known upfront, due to how the configs are read. +if [ -z "$grep_bin" ] ; then + # Detect support for grep or gnugrep + if [ -x /usr/gnu/bin/grep ] ; then + grep_bin="/usr/gnu/bin/grep" + else + grep_bin="$(command -v grep 2> /dev/null)" + if [ -z "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep binary (grep_bin) not found" + exit 1 + fi + fi +elif [[ "$grep_bin" =~ "/" ]] ; then + if [ ! -x "$grep_bin" ] ; then + xshok_pretty_echo_and_log "ERROR: grep (${grep_bin}) is not executable" exit 1 + fi fi @@ -2013,25 +2041,6 @@ if [ "$enable_gpg" == "yes" ] ; then fi fi fi -# grep_bin -if [ -z "$grep_bin" ] ; then - # Detect support for grep or gnugrep - if [ -x /usr/gnu/bin/grep ] ; then - grep_bin="/usr/gnu/bin/grep" - else - grep_bin="$(command -v grep 2> /dev/null)" - if [ -z "$grep_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: grep binary (grep_bin) not found" - exit 1 - fi - fi -elif [[ "$grep_bin" =~ "/" ]] ; then - if [ ! -x "$grep_bin" ] ; then - xshok_pretty_echo_and_log "ERROR: grep (${grep_bin}) is not executable" - exit 1 - - fi -fi # curl_bin if [ -z "$curl_bin" ] ; then curl_bin="$(command -v curl 2> /dev/null)" @@ -2076,17 +2085,17 @@ fi # dig_bin if [ -z "$dig_bin" ] ; then - curl_bin="$(command -v dig 2> /dev/null)" + dig_bin="$(command -v dig 2> /dev/null)" elif [[ "$dig_bin" =~ "/" ]] ; then if [ ! -x "$dig_bin" ] ; then dig_bin="" fi fi -# wget_bin +# host_bin if [ -z "$dig_bin" ] || [ "$force_host" == "yes" ] ; then if [ -z "$host_bin" ] ; then host_bin="$(command -v host 2> /dev/null)" - if [ -z "$wget_bin" ] ; then + if [ -z "$host_bin" ] ; then xshok_pretty_echo_and_log "ERROR: both host (host_bin) and dig (dig_bin) commands are missing, One of them is required" exit 1 fi @@ -3002,7 +3011,7 @@ if [ "$sanesecurity_enabled" == "yes" ] ; then # Add fallback to host if dig returns no records or dig is not used if [ -z "$sanesecurity_mirror_name" ] ; then # shellcheck disable=SC2086 - sanesecurity_mirror_name="$($host_bin $host_proxy "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" fi sanesecurity_mirror_site_info="$sanesecurity_mirror_name $sanesecurity_mirror_ip" xshok_pretty_echo_and_log "Sanesecurity mirror site used: ${sanesecurity_mirror_site_info}" From 4ee83f51ab8ba9a995f2592e96e7eea7ea575704 Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 02:51:00 +0200 Subject: [PATCH 08/11] Ensure only dig or host is used when either dig or host is enabled fixes #348 --- README.md | 2 +- clamav-unofficial-sigs.sh | 44 +++++++++++++++++++++++++-------------- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index a60a0657..34eaca05 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * New config option: force_host, by default dig is used when dig and host is present. * Refactor and correct assign and check Binaries/Commands * Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 - +* Ensure only dig or host is used when either dig or host is enabled ### Version 7.2 (07 December 2020) diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh index 83bc7b6c..aaac9ed1 100755 --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -2988,30 +2988,42 @@ if [ "$sanesecurity_enabled" == "yes" ] ; then echo "$current_time" > "${work_dir_work_configs}/last-ss-update.txt" xshok_pretty_echo_and_log "Sanesecurity Database & GPG Signature File Updates" "=" xshok_pretty_echo_and_log "Checking for Sanesecurity updates..." - if [ -n "$dig_bin" ] ; then - # shellcheck disable=SC2086 + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 sanesecurity_mirror_ips="$($dig_bin $dig_proxy +ignore +short "$sanesecurity_url")" - else - sanesecurity_mirror_ips="" - fi - # Add fallback to host if dig returns no records or dig is not used + else + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + fi + # Add fallback if no records are returned if [ ${#sanesecurity_mirror_ips} -lt 1 ] ; then - # shellcheck disable=SC2086 - sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($dig_bin $dig_proxy +ignore +short "$sanesecurity_url")" + else + # shellcheck disable=SC2086 + sanesecurity_mirror_ips="$($host_bin $host_proxy -t A "$sanesecurity_url" | $sed_bin -n '/has address/{s/.*address \([^ ]*\).*/\1/;p;}')" + fi fi if [ ${#sanesecurity_mirror_ips} -ge 1 ] ; then for sanesecurity_mirror_ip in $sanesecurity_mirror_ips ; do - if [ -n "$dig_bin" ] ; then - # shellcheck disable=SC2086 + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 sanesecurity_mirror_name="$($dig_bin $dig_proxy +short -x "$sanesecurity_mirror_ip" | command "$sed_bin" 's/\.$//')" - else - sanesecurity_mirror_name="" - fi - # Add fallback to host if dig returns no records or dig is not used + else + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + fi + # Add fallback if no records are returned if [ -z "$sanesecurity_mirror_name" ] ; then - # shellcheck disable=SC2086 - sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + if [ -n "$dig_bin" ] ; then + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($dig_bin $dig_proxy +short -x "$sanesecurity_mirror_ip" | command "$sed_bin" 's/\.$//')" + else + # shellcheck disable=SC2086 + sanesecurity_mirror_name="$($host_bin $host_proxy -t A "$sanesecurity_mirror_ip" | $sed_bin -n '/name pointer/{s/.*pointer \([^ ]*\).*\.$/\1/;p;}')" + fi fi sanesecurity_mirror_site_info="$sanesecurity_mirror_name $sanesecurity_mirror_ip" xshok_pretty_echo_and_log "Sanesecurity mirror site used: ${sanesecurity_mirror_site_info}" From 543c70d5ff8d9f437341035fc54e7b09b934efbc Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 02:56:36 +0200 Subject: [PATCH 09/11] Enable remove_disabled_databases by default --- README.md | 1 + config/master.conf | 2 +- config/user.conf | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 34eaca05..59c9ff4e 100644 --- a/README.md +++ b/README.md @@ -229,6 +229,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Refactor and correct assign and check Binaries/Commands * Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 * Ensure only dig or host is used when either dig or host is enabled +* Enable remove_disabled_databases by default ### Version 7.2 (07 December 2020) diff --git a/config/master.conf b/config/master.conf index 444ba432..4a7fb8b2 100644 --- a/config/master.conf +++ b/config/master.conf @@ -653,7 +653,7 @@ keep_db_backup="no" remove_bad_database="yes" # When a database is disabled we will remove the associated database files. -remove_disabled_databases="no" # Default is "no" since we are not a database managament tool by default. +remove_disabled_databases="yes" # Default is "yes" # Enable SELinux fixes, ie. running restorecon on the database files. # **Run the following command as root to enable clamav selinux support** diff --git a/config/user.conf b/config/user.conf index 8e957456..6b75b7bd 100644 --- a/config/user.conf +++ b/config/user.conf @@ -21,6 +21,9 @@ # Please note, it is your responsibility to manage the contents of this file. # Values provided here are just examples, feel free to use any values from the main config file. +# When a database is disabled we will remove the associated database files. +# remove_disabled_databases="yes" # Default is "yes" + # Malware Expert 2020 (non-free) clamav signatures # set to no to enable the commercial subscription databases #malwareexpert_serial_key="YOUR-SERIAL-KEY" From 174cc483f1429e65874405d7455695d6aec71ae5 Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 03:03:20 +0200 Subject: [PATCH 10/11] prepare for release --- README.md | 9 +++++---- clamav-unofficial-sigs.sh | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 59c9ff4e..1b09945a 100644 --- a/README.md +++ b/README.md @@ -220,16 +220,17 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] ## Change Log -### Version 7.2.1 (XX December 2020) +### Version 7.2.1 (13 December 2020) -* Fix Disabled databases removed when "$remove_disabled_databases" is set to "no" +* eXtremeSHOK.com Maintenance * Change yararule email/Email_generic_phishing.yar to HIGH -* Incremented the config to version 95 * New config option: force_host, by default dig is used when dig and host is present. -* Refactor and correct assign and check Binaries/Commands +* Refactor and correct the assigning of binaries/commands * Fix broken yara rule database names: Maldoc_hancitor_dropper and Maldoc_APT19_CVE-2017-1099 * Ensure only dig or host is used when either dig or host is enabled * Enable remove_disabled_databases by default +* Fix disabled databases removed when "$remove_disabled_databases" is set to "no" +* Incremented the config to version 95 ### Version 7.2 (07 December 2020) diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh index aaac9ed1..6484873f 100755 --- a/clamav-unofficial-sigs.sh +++ b/clamav-unofficial-sigs.sh @@ -1530,9 +1530,9 @@ EOF ################################################################################ # Script Info -script_version="7.2" -script_version_date="2020-12-02" -minimum_required_config_version="94" +script_version="7.2.1" +script_version_date="2020-12-13" +minimum_required_config_version="95" minimum_yara_clamav_version="0.100" # Discover script: name, full_path and path From 5bb3910f5f2ce6a8fc1168e29948af8bde535122 Mon Sep 17 00:00:00 2001 From: eXtremeSHOK Date: Mon, 14 Dec 2020 03:06:33 +0200 Subject: [PATCH 11/11] tidy readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1b09945a..c44dd9bb 100644 --- a/README.md +++ b/README.md @@ -264,12 +264,12 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Incremented the config to version 92 * Thank you @dandanio @jkellerer @m0urs @Mrothyr @msapiro @orlitzky @RobbieTheK @SlothOfAnarchy -### Version 7.0.1 (25 January 2020) +### Version 7.0.1 * Disable yara project rules duplicated in rxfn.yara (Thanks @dominicraf) * Incremented the config to version 91 -### Version 7.0.0 (24 January 2020) +### Version 7.0.0 * eXtremeSHOK.com Maintenance * Added urlhaus database @@ -302,7 +302,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Only check for and notify about script updates every 12hours * Incremented the config to version 90 -### Version 6.1.1 (02 September 2019) +### Version 6.1.1 * eXtremeSHOK.com Maintenance * Update os.archlinux.conf, thanks @amishmm @@ -317,7 +317,7 @@ Usage: clamav-unofficial-sigs.sh [OPTION] [PATH|FILE] * Minor enhancement to travis-ci checks * Incremented the config to version 77 -### Version 6.1.0 (27 August 2019) +### Version 6.1.0 * eXtremeSHOK.com Maintenance * Thanks Reio Remma & Oliver Nissen