53
58
static struct dconf_module modules[] = {
55
{ "PE", "PARITE", PE_CONF_PARITE, 1 },
56
{ "PE", "KRIZ", PE_CONF_KRIZ, 1 },
57
{ "PE", "MAGISTR", PE_CONF_MAGISTR, 1 },
58
{ "PE", "POLIPOS", PE_CONF_POLIPOS, 1 },
59
{ "PE", "MD5SECT", PE_CONF_MD5SECT, 1 },
60
{ "PE", "UPX", PE_CONF_UPX, 1 },
61
{ "PE", "FSG", PE_CONF_FSG, 1 },
62
{ "PE", "SWIZZOR", PE_CONF_SWIZZOR, 1 },
64
{ "PE", "PETITE", PE_CONF_PETITE, 1 },
65
{ "PE", "PESPIN", PE_CONF_PESPIN, 1 },
66
{ "PE", "YC", PE_CONF_YC, 1 },
67
{ "PE", "WWPACK", PE_CONF_WWPACK, 1 },
69
{ "PE", "NSPACK", PE_CONF_NSPACK, 1 },
70
{ "PE", "MEW", PE_CONF_MEW, 1 },
71
{ "PE", "UPACK", PE_CONF_UPACK, 1 },
72
{ "PE", "ASPACK", PE_CONF_ASPACK, 1 },
73
{ "PE", "CATALOG", PE_CONF_CATALOG, 1 },
60
{ "PE", "PARITE", PE_CONF_PARITE, 1 },
61
{ "PE", "KRIZ", PE_CONF_KRIZ, 1 },
62
{ "PE", "MAGISTR", PE_CONF_MAGISTR, 1 },
63
{ "PE", "POLIPOS", PE_CONF_POLIPOS, 1 },
64
{ "PE", "MD5SECT", PE_CONF_MD5SECT, 1 },
65
{ "PE", "UPX", PE_CONF_UPX, 1 },
66
{ "PE", "FSG", PE_CONF_FSG, 1 },
67
{ "PE", "SWIZZOR", PE_CONF_SWIZZOR, 1 },
69
{ "PE", "PETITE", PE_CONF_PETITE, 1 },
70
{ "PE", "PESPIN", PE_CONF_PESPIN, 1 },
71
{ "PE", "YC", PE_CONF_YC, 1 },
72
{ "PE", "WWPACK", PE_CONF_WWPACK, 1 },
74
{ "PE", "NSPACK", PE_CONF_NSPACK, 1 },
75
{ "PE", "MEW", PE_CONF_MEW, 1 },
76
{ "PE", "UPACK", PE_CONF_UPACK, 1 },
77
{ "PE", "ASPACK", PE_CONF_ASPACK, 1 },
78
{ "PE", "CATALOG", PE_CONF_CATALOG, 1 },
74
79
{ "PE", "DISABLECERT", PE_CONF_DISABLECERT, 0 },
75
80
{ "PE", "DUMPCERT", PE_CONF_DUMPCERT, 0 },
77
{ "ELF", NULL, 0x1, 1 },
79
{ "MACHO", NULL, 0x1, 1 },
81
{ "ARCHIVE", "RAR", ARCH_CONF_RAR, 1 },
82
{ "ARCHIVE", "ZIP", ARCH_CONF_ZIP, 1 },
83
{ "ARCHIVE", "GZIP", ARCH_CONF_GZ, 1 },
84
{ "ARCHIVE", "BZIP", ARCH_CONF_BZ, 1 },
85
{ "ARCHIVE", "ARJ", ARCH_CONF_ARJ, 1 },
86
{ "ARCHIVE", "SZDD", ARCH_CONF_SZDD, 1 },
87
{ "ARCHIVE", "CAB", ARCH_CONF_CAB, 1 },
88
{ "ARCHIVE", "CHM", ARCH_CONF_CHM, 1 },
89
{ "ARCHIVE", "OLE2", ARCH_CONF_OLE2, 1 },
90
{ "ARCHIVE", "TAR", ARCH_CONF_TAR, 1 },
91
{ "ARCHIVE", "CPIO", ARCH_CONF_CPIO, 1 },
92
{ "ARCHIVE", "BINHEX", ARCH_CONF_BINHEX, 1 },
93
{ "ARCHIVE", "SIS", ARCH_CONF_SIS, 1 },
94
{ "ARCHIVE", "NSIS", ARCH_CONF_NSIS, 1 },
95
{ "ARCHIVE", "AUTOIT", ARCH_CONF_AUTOIT, 1 },
96
{ "ARCHIVE", "ISHIELD", ARCH_CONF_ISHIELD, 1 },
97
{ "ARCHIVE", "7zip", ARCH_CONF_7Z, 1 },
98
{ "ARCHIVE", "ISO9660", ARCH_CONF_ISO9660, 1 },
99
{ "ARCHIVE", "DMG", ARCH_CONF_DMG, 1 },
100
{ "ARCHIVE", "XAR", ARCH_CONF_XAR, 1 },
101
{ "ARCHIVE", "HFSPLUS", ARCH_CONF_HFSPLUS, 1 },
102
{ "ARCHIVE", "XZ", ARCH_CONF_XZ, 1 },
104
{ "DOCUMENT", "HTML", DOC_CONF_HTML, 1 },
105
{ "DOCUMENT", "RTF", DOC_CONF_RTF, 1 },
106
{ "DOCUMENT", "PDF", DOC_CONF_PDF, 1 },
107
{ "DOCUMENT", "SCRIPT", DOC_CONF_SCRIPT, 1 },
81
{ "PE", "MATCHICON", PE_CONF_MATCHICON, 1 },
83
{ "ELF", NULL, 0x1, 1 },
85
{ "MACHO", NULL, 0x1, 1 },
87
{ "ARCHIVE", "RAR", ARCH_CONF_RAR, 1 },
88
{ "ARCHIVE", "ZIP", ARCH_CONF_ZIP, 1 },
89
{ "ARCHIVE", "GZIP", ARCH_CONF_GZ, 1 },
90
{ "ARCHIVE", "BZIP", ARCH_CONF_BZ, 1 },
91
{ "ARCHIVE", "ARJ", ARCH_CONF_ARJ, 1 },
92
{ "ARCHIVE", "SZDD", ARCH_CONF_SZDD, 1 },
93
{ "ARCHIVE", "CAB", ARCH_CONF_CAB, 1 },
94
{ "ARCHIVE", "CHM", ARCH_CONF_CHM, 1 },
95
{ "ARCHIVE", "OLE2", ARCH_CONF_OLE2, 1 },
96
{ "ARCHIVE", "TAR", ARCH_CONF_TAR, 1 },
97
{ "ARCHIVE", "CPIO", ARCH_CONF_CPIO, 1 },
98
{ "ARCHIVE", "BINHEX", ARCH_CONF_BINHEX, 1 },
99
{ "ARCHIVE", "SIS", ARCH_CONF_SIS, 1 },
100
{ "ARCHIVE", "NSIS", ARCH_CONF_NSIS, 1 },
101
{ "ARCHIVE", "AUTOIT", ARCH_CONF_AUTOIT, 1 },
102
{ "ARCHIVE", "ISHIELD", ARCH_CONF_ISHIELD, 1 },
103
{ "ARCHIVE", "7zip", ARCH_CONF_7Z, 1 },
104
{ "ARCHIVE", "ISO9660", ARCH_CONF_ISO9660, 1 },
105
{ "ARCHIVE", "DMG", ARCH_CONF_DMG, 1 },
106
{ "ARCHIVE", "XAR", ARCH_CONF_XAR, 1 },
107
{ "ARCHIVE", "HFSPLUS", ARCH_CONF_HFSPLUS, 1 },
108
{ "ARCHIVE", "XZ", ARCH_CONF_XZ, 1 },
110
{ "DOCUMENT", "HTML", DOC_CONF_HTML, 1 },
111
{ "DOCUMENT", "RTF", DOC_CONF_RTF, 1 },
112
{ "DOCUMENT", "PDF", DOC_CONF_PDF, 1 },
113
{ "DOCUMENT", "SCRIPT", DOC_CONF_SCRIPT, 1 },
108
114
{ "DOCUMENT", "HTMLSKIPRAW", DOC_CONF_HTML_SKIPRAW, 1 },
109
115
{ "DOCUMENT", "JSNORM", DOC_CONF_JSNORM, 1 },
110
{ "DOCUMENT", "SWF", DOC_CONF_SWF, 1 },
112
{ "MAIL", "MBOX", MAIL_CONF_MBOX, 1 },
113
{ "MAIL", "TNEF", MAIL_CONF_TNEF, 1 },
115
{ "OTHER", "UUENCODED", OTHER_CONF_UUENC, 1 },
116
{ "OTHER", "SCRENC", OTHER_CONF_SCRENC, 1 },
117
{ "OTHER", "RIFF", OTHER_CONF_RIFF, 1 },
118
{ "OTHER", "JPEG", OTHER_CONF_JPEG, 1 },
119
{ "OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1 },
120
{ "OTHER", "DLP", OTHER_CONF_DLP, 1 },
121
{ "OTHER", "MYDOOMLOG", OTHER_CONF_MYDOOMLOG, 1 },
116
{ "DOCUMENT", "SWF", DOC_CONF_SWF, 1 },
118
{ "MAIL", "MBOX", MAIL_CONF_MBOX, 1 },
119
{ "MAIL", "TNEF", MAIL_CONF_TNEF, 1 },
121
{ "OTHER", "UUENCODED", OTHER_CONF_UUENC, 1 },
122
{ "OTHER", "SCRENC", OTHER_CONF_SCRENC, 1 },
123
{ "OTHER", "RIFF", OTHER_CONF_RIFF, 1 },
124
{ "OTHER", "JPEG", OTHER_CONF_JPEG, 1 },
125
{ "OTHER", "CRYPTFF", OTHER_CONF_CRYPTFF, 1 },
126
{ "OTHER", "DLP", OTHER_CONF_DLP, 1 },
127
{ "OTHER", "MYDOOMLOG", OTHER_CONF_MYDOOMLOG, 1 },
122
128
{ "OTHER", "PREFILTERING", OTHER_CONF_PREFILTERING,1 },
123
129
{ "OTHER", "PDFNAMEOBJ", OTHER_CONF_PDFNAMEOBJ, 1 },
130
{ "OTHER", "PRTNINTXN", OTHER_CONF_PRTNINTXN, 1 },
125
132
{ "PHISHING", "ENGINE", PHISHING_CONF_ENGINE, 1 },
126
133
{ "PHISHING", "ENTCONV", PHISHING_CONF_ENTCONV, 1 },
189
202
void cli_dconf_print(struct cli_dconf *dconf)
191
unsigned int pe = 0, elf = 0, macho = 0, arch = 0, doc = 0, mail = 0;
192
unsigned int other = 0, phishing = 0, i, bytecode=0;
204
unsigned int pe = 0, elf = 0, macho = 0, arch = 0, doc = 0, mail = 0;
205
unsigned int other = 0, phishing = 0, i, bytecode=0, stats=0;
195
208
cli_dbgmsg("Dynamic engine configuration settings:\n");
196
209
cli_dbgmsg("--------------------------------------\n");
198
211
for(i = 0; modules[i].mname; i++) {
199
if(!strcmp(modules[i].mname, "PE")) {
201
cli_dbgmsg("Module PE: %s\n", dconf->pe ? "On" : "Off");
205
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->pe & modules[i].bflag) ? "On" : "** Off **");
209
} else if(!strcmp(modules[i].mname, "ELF")) {
211
cli_dbgmsg("Module ELF: %s\n", dconf->elf ? "On" : "Off");
215
} else if(!strcmp(modules[i].mname, "MACHO")) {
217
cli_dbgmsg("Module MACHO: %s\n", dconf->elf ? "On" : "Off");
221
} else if(!strcmp(modules[i].mname, "ARCHIVE")) {
223
cli_dbgmsg("Module ARCHIVE: %s\n", dconf->archive ? "On" : "Off");
227
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->archive & modules[i].bflag) ? "On" : "** Off **");
231
} else if(!strcmp(modules[i].mname, "DOCUMENT")) {
233
cli_dbgmsg("Module DOCUMENT: %s\n", dconf->doc ? "On" : "Off");
237
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->doc & modules[i].bflag) ? "On" : "** Off **");
241
} else if(!strcmp(modules[i].mname, "MAIL")) {
243
cli_dbgmsg("Module MAIL: %s\n", dconf->mail ? "On" : "Off");
247
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->mail & modules[i].bflag) ? "On" : "** Off **");
251
} else if(!strcmp(modules[i].mname, "OTHER")) {
253
cli_dbgmsg("Module OTHER: %s\n", dconf->other ? "On" : "Off");
257
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->other & modules[i].bflag) ? "On" : "** Off **");
260
} else if(!strcmp(modules[i].mname, "PHISHING")) {
262
cli_dbgmsg("Module PHISHING %s\n", dconf->phishing ? "On" : "Off");
266
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->phishing & modules[i].bflag) ? "On" : "** Off **");
269
} else if(!strcmp(modules[i].mname, "BYTECODE")) {
271
cli_dbgmsg("Module BYTECODE %s\n", dconf->bytecode ? "On" : "Off");
275
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->bytecode & modules[i].bflag) ? "On" : "** Off **");
212
if(!strcmp(modules[i].mname, "PE")) {
214
cli_dbgmsg("Module PE: %s\n", dconf->pe ? "On" : "Off");
219
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->pe & modules[i].bflag) ? "On" : "** Off **");
222
} else if(!strcmp(modules[i].mname, "ELF")) {
224
cli_dbgmsg("Module ELF: %s\n", dconf->elf ? "On" : "Off");
227
} else if(!strcmp(modules[i].mname, "MACHO")) {
229
cli_dbgmsg("Module MACHO: %s\n", dconf->elf ? "On" : "Off");
232
} else if(!strcmp(modules[i].mname, "ARCHIVE")) {
234
cli_dbgmsg("Module ARCHIVE: %s\n", dconf->archive ? "On" : "Off");
239
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->archive & modules[i].bflag) ? "On" : "** Off **");
242
} else if(!strcmp(modules[i].mname, "DOCUMENT")) {
244
cli_dbgmsg("Module DOCUMENT: %s\n", dconf->doc ? "On" : "Off");
249
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->doc & modules[i].bflag) ? "On" : "** Off **");
252
} else if(!strcmp(modules[i].mname, "MAIL")) {
254
cli_dbgmsg("Module MAIL: %s\n", dconf->mail ? "On" : "Off");
259
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->mail & modules[i].bflag) ? "On" : "** Off **");
262
} else if(!strcmp(modules[i].mname, "OTHER")) {
264
cli_dbgmsg("Module OTHER: %s\n", dconf->other ? "On" : "Off");
269
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->other & modules[i].bflag) ? "On" : "** Off **");
272
} else if(!strcmp(modules[i].mname, "PHISHING")) {
274
cli_dbgmsg("Module PHISHING %s\n", dconf->phishing ? "On" : "Off");
279
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->phishing & modules[i].bflag) ? "On" : "** Off **");
282
} else if(!strcmp(modules[i].mname, "BYTECODE")) {
284
cli_dbgmsg("Module BYTECODE %s\n", dconf->bytecode ? "On" : "Off");
289
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->bytecode & modules[i].bflag) ? "On" : "** Off **");
292
} else if (!strcmp(modules[i].mname, "STATS")) {
294
cli_dbgmsg("Module STATS %s\n", dconf->stats ? "On" : "Off");
299
cli_dbgmsg(" * Submodule %10s:\t%s\n", modules[i].sname, (dconf->stats & modules[i].bflag) ? "On" : "** Off **");
282
306
static int chkflevel(const char *entry, int field)
287
311
if((pt = cli_strtok(entry, field, ":"))) { /* min version */
293
if((unsigned int) atoi(pt) > CL_FLEVEL_DCONF) {
300
if((pt = cli_strtok(entry, field + 1, ":"))) { /* max version */
306
if((unsigned int) atoi(pt) < CL_FLEVEL_DCONF) {
317
if((unsigned int) atoi(pt) > CL_FLEVEL_DCONF) {
324
if((pt = cli_strtok(entry, field + 1, ":"))) { /* max version */
330
if((unsigned int) atoi(pt) < CL_FLEVEL_DCONF) {
318
342
int cli_dconf_load(FILE *fs, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio)
320
char buffer[FILEBUFF];
321
unsigned int line = 0;
344
char buffer[FILEBUFF];
345
unsigned int line = 0;
326
350
while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {
330
if(!strncmp(buffer, "PE:", 3) && chkflevel(buffer, 2)) {
331
if(sscanf(buffer + 3, "0x%x", &val) == 1) {
332
engine->dconf->pe = val;
339
if(!strncmp(buffer, "ELF:", 4) && chkflevel(buffer, 2)) {
340
if(sscanf(buffer + 4, "0x%x", &val) == 1) {
341
engine->dconf->elf = val;
348
if(!strncmp(buffer, "MACHO:", 4) && chkflevel(buffer, 2)) {
349
if(sscanf(buffer + 4, "0x%x", &val) == 1) {
350
engine->dconf->macho = val;
357
if(!strncmp(buffer, "ARCHIVE:", 8) && chkflevel(buffer, 2)) {
358
if(sscanf(buffer + 8, "0x%x", &val) == 1) {
359
engine->dconf->archive = val;
366
if(!strncmp(buffer, "DOCUMENT:", 9) && chkflevel(buffer, 2)) {
367
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
368
engine->dconf->doc = val;
375
if(!strncmp(buffer, "MAIL:", 5) && chkflevel(buffer, 2)) {
376
if(sscanf(buffer + 5, "0x%x", &val) == 1) {
377
engine->dconf->mail = val;
384
if(!strncmp(buffer, "OTHER:", 6) && chkflevel(buffer, 2)) {
385
if(sscanf(buffer + 6, "0x%x", &val) == 1) {
386
engine->dconf->other = val;
393
if(!strncmp(buffer, "PHISHING:", 9) && chkflevel(buffer, 2)) {
394
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
395
engine->dconf->phishing = val;
402
if(!strncmp(buffer, "BYTECODE:", 9) && chkflevel(buffer, 2)) {
403
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
404
engine->dconf->bytecode = val;
354
if(!strncmp(buffer, "PE:", 3) && chkflevel(buffer, 2)) {
355
if(sscanf(buffer + 3, "0x%x", &val) == 1) {
356
engine->dconf->pe = val;
363
if(!strncmp(buffer, "ELF:", 4) && chkflevel(buffer, 2)) {
364
if(sscanf(buffer + 4, "0x%x", &val) == 1) {
365
engine->dconf->elf = val;
372
if(!strncmp(buffer, "MACHO:", 4) && chkflevel(buffer, 2)) {
373
if(sscanf(buffer + 4, "0x%x", &val) == 1) {
374
engine->dconf->macho = val;
381
if(!strncmp(buffer, "ARCHIVE:", 8) && chkflevel(buffer, 2)) {
382
if(sscanf(buffer + 8, "0x%x", &val) == 1) {
383
engine->dconf->archive = val;
390
if(!strncmp(buffer, "DOCUMENT:", 9) && chkflevel(buffer, 2)) {
391
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
392
engine->dconf->doc = val;
399
if(!strncmp(buffer, "MAIL:", 5) && chkflevel(buffer, 2)) {
400
if(sscanf(buffer + 5, "0x%x", &val) == 1) {
401
engine->dconf->mail = val;
408
if(!strncmp(buffer, "OTHER:", 6) && chkflevel(buffer, 2)) {
409
if(sscanf(buffer + 6, "0x%x", &val) == 1) {
410
engine->dconf->other = val;
417
if(!strncmp(buffer, "PHISHING:", 9) && chkflevel(buffer, 2)) {
418
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
419
engine->dconf->phishing = val;
426
if(!strncmp(buffer, "BYTECODE:", 9) && chkflevel(buffer, 2)) {
427
if(sscanf(buffer + 9, "0x%x", &val) == 1) {
428
engine->dconf->bytecode = val;
435
if(!strncmp(buffer, "STATS:", 6) && chkflevel(buffer, 2)) {
436
if(sscanf(buffer + 6, "0x%x", &val) == 1) {
437
engine->dconf->stats = val;
413
cli_errmsg("Problem parsing configuration file at line %u\n", line);
446
cli_errmsg("Problem parsing configuration file at line %u\n", line);
417
450
return CL_SUCCESS;