AtomiCorp: Security for Everyone

Twitter Feed

from:Atomicorp - Twitter Search

Atomicorp: Realtime WAF/#modsecurity rules: Updates to web spam and malware protection rules

Atomicorp: Realtime WAF/#modsecurity rules: Updates to web spam protection rules

Atomicorp: ASL 3 Update: Updates to HIDS rules

Atomicorp: ASL 3 Update: New application specific rulesets added

Atomicorp: Realtime WAF/#modsecurity rules: Updates to SQLi, recursion, malware and web spam protection rules

Follow AtomiCorp on Twitter

AtomiBlog

[asl-2.0-testing] Clamav 0.96

Written by Scott Shinn
Tuesday, 16 March 2010 11:09
Our internal naming convention will show this package as clamav-0.96-0.1. The "rc1" tag is dropped from the version field to make upgrades to later versions seamless. (Wow... really long changelog!) Changelog: * win32/platform.h: make sleep() wait seconds rather than ms (bb#1866) * clamd/scanner.c: fix logg output, patch from Mark Pizzolato * libclamav: don't cache clean results due to EMAX - final fix for bb#1856 * libclamav: fix scanning of utf16 data (bb#1853) * libclamav/matcher-bm.c: properly handle scan boundaries in offset mode (bb#1840) * libclamav: fix cl_cvdparse() leak (bb#1859) * libclamav/matcher-bm.c: fix array check (bb#1840) * libclamav/scanners.c: set container type in cli_scanraw() (bb#1842) * libclamav/matcher-bm.c: only sort correct offsets (bb#1840) * docs: update signatures.pdf * libclamav/cvd.c: enable new dsig check for main db * freshclam/manager.c: handle empty cdiffs more gently * libclamav: refactor checkfp logic * libclamav: refactor binhex processor with one pass decoder (bb#1236) * libclamav: add cl_countsigs() (bb#1473) * clamav-milter: allow SkipAuthenticated to read names from a file (bb#1684) * libclamav/scanners.c: fix gzip handler * libclamav: prefix all engine detections with "Heuristics." (bb#1808) (also change Phishing.Heuristics.* -> Heuristics.Phishing.) libclamav: drop support for type 8 signatures. disasm matching is now done via bytecode * freshclam, sigtool: use zlib's Z_FILTERED strategy Thanks to Edwin * clamd/server-th.c: reset the selfcheck timeout even if we reload by other means (bb#1812) * clamd: new options LocalSocketMode and LocalSocketGroup * clamav-milter: new options MilterSocketMode and MilterSocketGroup (bb#1789) * clamscan: properly report errors from libclamav; simplify error codes * clamdscan: fix error logic once again * win32: workaround HUP reset in poll, set stdin to binary mode * freshclam: new option Bytecode * sigtool: add support for bytecode.cvd * win32: clamdscan added * win32: clamd (sort of) works * libclamav: provide information about lsig matches to bytecode (bb#1799) * libclamav: provide offset in cli_ac_result (bb#1799) * win32: automatically check and regenerate vcprojs, drop support and tblgen from llvm as these are now prebuilt and shipped * libclamav: handle digitally signed .info files * libclamav: fix shifts >= width (bb#1778) * sigtool: create digitally signed .info files * libclamav/pe.c: fix handling of 15h byte skew in upx-lzma (bb#1591) * libclamav: check .info files while loading CVD/CLD * clamdscan/proto.c: don't stop scanning if a file is not found (bb#1760) * clamscan/manager.c: use unsigned fsize (bb#1788) * libclamav: cache negative matches * libclamav: cdb: drop FileType; cover ARJ, CAB, TAR, CPIO and 7Z * libclamav/readdb.c: fix compatibility issue with .zmd sigs (bb#1793) * libclamav: allow lsigs be anchored to specific containers (bb#1293), eg. Container:CL_TYPE_ZIP * libclamav/readdb.c: when some lsig's attribute is unknown ignore the entire signature and not the attribute itself * libclamav: handle zmd/rmd with cdb (bb#1579) * libclamav: base code for unified container metadata matcher (bb#1579) * libclamav/readdb.c: force VI anchored sigs into AC * libclamav: merge PE VersionInformation matcher * libclamav: fix error reporting for BinHex files (bb#1685) * libclamav: add support for FileSize, EntryPoint and NumberOfSections in lsig's tdb * sigtool/sigtool.c: handle lsigs created by the bytecode compiler * sigtool/sigtool.c: properly handle anchored sigs (bb#1780) * libclamav/fmap.h: fix build on FreeBSD and Mac OS X (bb #1776). Thanks to Renato Botelho. * libclamav/unzip.c: do not mark embedded zipfiles as encrypted.zip (bb#1768) * clamd/server-th.c: remove c++ comment (bb#1751) * libclamav/c++, win32: win32 compile system for llvm refactored * libclamav: integrate ldb sigs with icon matcher * sigtool: fix some messages (bb#1777) * man/freshclam.conf.5: describe SafeBrowsing (bb#1772) * man/clamd.8: add info about signals * libclamav: merge icon extraction and matching branch(exeicons) * freshclam/manager.c: improve handling of problematic mirrors (bb#1758) * libclamav/qsort.c: fix CMP1 macro (bb#1769) * libclamav/readdb.c: make sure static sigs with floating chars go into AC * libclamav/scanners.c: print inflateinit2 return code * clamd/server-th.c: enable more than 256 FD support on Solaris (bb #1764). * sigtool/sigtool.c: handle .ign2 files (bb#1625) * libclamav/qsort.c: don't call med3 when using internal cmp * libclamav: add qsort to the win32 build * libclamav: replace qsort implementation and optimize its common usage (bb#1721) (bb#1743) * freshclam/notify.c: fix clamd notification in TCP mode (bb#1756) * doc/man/clamav-milter.8.in: fix typo reported by Thomas Harold <thomas * betasearch.com> * libclamav/tnef.c: don't use fgetc (bb#1695) * freshclam: add support for DetectionStatsHostID (bb#1503) * libclamav, freshclam: fix handling of dbs when both daily.cvd and daily.cld are present in the db directory and ScriptedUpdates are turned off (bb#1739) * libclamav/readdb.c: return error if lsig contains redundant subsigs * win32: improve build system * win32: add resources * win32: fix warnings * configure, m4/acinclude.m4: Avoid trailing slash in libdir for old gcc (#1738). * win32/3rdparty/pthreads: upgrade to CVS HEAD * win32: don't use . or .. in UNC names * clamd/thrmgr.c: use a double instead of integer to avoid negative time (bb #1731). * libclamav/filetypes_int.h: sync with daily.ftm * clamdscan: improve error handling (bb#1729) * clamdscan, libclamav, clamdtop, freshclam, sigtool: fix some error path leaks (bb#1730) * libclamav/scanners.c: drop hardcoded offset limits for embedded objs (bb#1664) * libclamav/others.c: call srand() already in cli_init() (bb#1728) * clamdscan/proto.c: handle recv() == 0 (bb#1717) * libclamav/mpool.c: increase max pool to 8M to allow loading huge custom dbs * clamd/scanner.c, libclamav/others_common.c: fix error path leak (bb #1711) * libclamav/unarj: fix error path leaks and valgrind warnings * win32: introduce safe_open() (sic!) * shared, win32: make hardcoded paths relocable in win32 builds * win32: add clamconf * win32: glob() complete * win32: glob() before main (WIP) * win32: stat added, dirent updated * clamdscan: fix some output msgs (bb#1716) * win32: res_query compatible interface * win32: add freshclam * win32: remove stale netcode * win32: preliminary winsock support files * win32: unrar support * win32: clamscan builds (and will scan soon...) * win32/compat: add POSIX compatible snprintf * win32: libclamav compiles * /win32: VC project file and 3rd party stuff * libclamav: completed merge of fmap4all * libclamav/matcher-bm.c: don't use mpool (bb#1710, #1715) * shared/misc.h: #include <sys/types.h> * libclamav: check file sizes for MD5 sigs in all cases Reported by Edwin * libclamav: unify fp checking; output fp signatures in debug mode * libclamav/scanners.c: fix whitelisting of scripts (bb#1706) * configure, m4/acinclude.m4: Avoid trailing slash in libdir for old gcc (#1738). * configure{.in,}: Only use -fno-strict-aliasing for gcc-4.3+ to avoid bugs with older compilers (bb #1581) * libclamav/matcher-bm.c: fix cli_bm_freeoff() (bb#1710) * clamdscan/clamdscan.c: properly init variable (bb#1708) * clamd, shared: merge a set of win32 patches from Gianluigi Tiesi <sherpyanetfarm.it> libclamav/matcher-ac.c: fix matching of logical sigs (bb#1707) Reported by Thiyaga <mthiyagacorp.untd.com> libclamav/readdb.c: fix handling of broken .ldb sigs (bb#1701) Thanks Luca&Edwin * libclamav: new signature blacklisting format (bb#1625) * libclamav: allow arbitrary names for .ign/.ign2 files (bb#1683) * sigtool/vba.c: s/cli_errmsg/logg/ * shared/misc.h: in_addr_t is now already declared * libclamav/special.c: do not include netinet/in.h on win32 All the patches from Gianluigi Tiesi <sherpyanetfarm.it> clamav-milter/clamav.milter.c: remove debug printf * libclamav/matcher-ac.c: add support for line marker (L) (matches CR, CRLF and boundaries) * libclamav/sis.c: size check fix, thanks Tomasz * fix several problems introduced by the win32 commits many thanks edwin and sherpya * libclamav/others_common.c: Accept "/" as an absolute path * merge a set of win32 patches from Gianluigi Tiesi <sherpyanetfarm.it> drop OS/2 "support" * clamd, libclamav: drop INTERIX "support" * win32 paths handling * merge initial set of win32 patches from Gianluigi Tiesi <sherpyanetfarm.it> clamav-milter: Add option ReportHostname to mangle the host name in X headers * libclamav/mpool.c: update frag sizes, small cleanup * clamd: add support for DazukoFS (bb#1691) Patch from John Ogness <dazukocodeogness.net> libclamav/matcher-bm.c: use mpool in BM's offset mode * libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631 * freshclam: return 0 instead of 1 when database is up-to-date (bb#1312) * clamd/server-th.c: fix possible race condition when restarting clamuko (bb#1692), patch from John Ogness * libclamav/matcher-ac.c: initial limited support for word boundary (bb#1631) * libclamav/matcher-ac.c: alternatives can now be negated: !(aa\|bb\|cc) * libclamav/matcher-bm.c: fix uninitialized value warning * libclamav/scanners.c: properly scan text files with a mail container * freshclam/mirman.c: make backoff time proportional to FLEVEL (bb#1687) * libclamav: use BM matcher in offset mode for PE files larger than 256kB (10% speedup on average; 30-40% for large executables) * libclamav: in bm_offmode only load sigs with non-floating absolute and relative offsets into BM matcher (load other ones into AC) and use per-file computed offset table to pick up best shifts (not enabled by default, bb#1300) * libclamav: unify CL_TYPE_MAIL scanning * libclamav/matcher-ac.c: improve handling of signature offsets * libclamav: improve handling of PDF files (bb#1682) * libclamav: handle relative offsets with cli_ac_data; fix offset logic * libclamav/ishield.c: properly free() header * build system: upgrade to autoconf 2.64 and automake 1.11 (bb#1528) * libclamav/matcher-bm.c: micro-optimization * libclamav/cpio.c: wrap unistd.h, reported by Nigel Horne * libclamav/7z: convert EOL to unix for compat with suncc * libclamav: improve handling of signature offsets * libclamav/7z/Types.h: workaround "Byte" clash in lzma/7z (bb#805 - regression) * libclamav/7z: cosmetic fixes contrib/test: sync test files * libclamav: add preliminary 7z support * clamd, clamscan, libclamav: drop support for MailFollowURLs (bb#1677) * clamd/clamd.c: ignore SIGHUP and SIGUSR2 during initial setup (bb#1671) * configure, libclamav: fix compile issues on IRIX (bb#1532) * libclamav/macho.c: wrap unistd.h, reported by Nigel Horne * libclamav/readdb.c: make the parser more sensitive to errors in numerical fields * freshclam, libclamav: work around possible race condition during db updates (bb#1624) * freshclam/manager.c: fix confusing error message (bb#1648) * libclamav/unzip.c: fix detection of encrypted zip files embedded into other files (bb#1660) * libclamav/bytecode_vm.c: fix SIGBUS on sparc. * libclamav, clamd: handle file exclusion in cli_ftw() (bb#1656) * unit_tests/check_regex.c: fix unit-test failure on Solaris * libclamav/pe.c: fix check for pe32+ * clamscan, clamd, libclamav: load cvd files on-the-fly (without unpacking them to /tmp) by default * libclamav: improve loading speed of compressed databases (bb#1105) * libclamav/macho.c: improve detection of Universal Binaries * libclamav/macho.c: fix section alignment (bb#1667) * shared/actions.c: wrap unistd - reported by njh * libclamav/pe.c: check IS-cab scan result * test/: add IS test files * libclamav/regex_list.[ch]: improve safebrowsing.cvd load speed (20s -> 3s) * libclamav/others.h, libclamav/ishield.c: fix typo, workaround crappy preprocessors (bb#1658) * libclamav/cab.c: downgrade warning message (bb#1659) * libclamav, build system: fix portability issues for fseeko, sysconf(_SC_PAGESIZE), getpagesize() (bb#1658) * libclamav/pe.c, yc.c: Make yC able to handle more samples and variants. * clamd: honour value of 0 in Max* options * unit_tests/check_clamd.c: fix unit tests when run as root (bb #1635). * libclamav/ishield.c: fix distcheck, patch from edwin * clamd, clamav-milter: make pid files globally readable (bb#1642) * libclamav/ishield.c: use mmap for big files, fix some leaks, some portability fixes * libclamav/filetypes.c: fix off-by-one error (bb#1639) * libclamav/mspack.c: fix valgrind warnings about use of uninitialized values (bb#1655) * libclamav: add preliminary support for IS executables (IS-cab and IS-msi) part of bb#1571 * libclamav: add support for Universal Binaries (archives with Mach-O files for different architectures, bb#1592) * docs/signatures.pdf: cover Mach-O files * libclamav: handle Mach-O files with type-9 signatures; all special offsets are supported for PPC32/64 and x86 executables; for ARM and other archs only section based extensions (Sx[+-]n, SL[+-]n) are supported atm * clambc/, libclamav/, unit_tests/: Initial draft of bytecode interpreter (bb #1243). * libclamav/macho.c: handle LC_THREAD; calculate EP * libclamav/filetypes_int.h: sync with daily.ftm * libclamav: initial support for Mach-O executables (part of bb#1592) * test: add cpio test files * libclamav: add support for cpio archives (bb#1649) * clamav-milter: use s/STREAM/INSTREAM/ (bb#1548) * clamav-milter/netcode.c: Properly handle clamd disconnection (bb#1643) * clamav-milter/whitelist.c: print failed whitelist filename * libclamav/elf.[ch]: add support for 64-bit ELF files (bb#1593) To Upgrade: yum --enablerepo=asl-2.0-testing upgrade clamav Add new comment

[asl-2.0-testing] ASL 2.2.5-0.3

Written by Scott Shinn

Friday, 12 March 2010 08:59

More updates relating to the new template code for psmon, ossec, and denyhosts. The biggest change here is that denyhosts is no longer in active response mode, OSSEC will be doing all the work. So in order to test this you will need to upgrade both ASL and OSSEC. The OSSEC update is also based off of the latest snapshot, so a lot of irons in the fire with this build. I'd be especially interested in any feedback on denyhosts alerts you'll see in ASL Web.

Changelog:
- Added new templating engine to ossec_check
- Added new templating engine to psmon_check
- Added new config setting PSMON_NOTIFY, this allows you do disable email reporting from psmon
- Added new templating engine to denyhosts
- Deprecated active response in denyhosts, this is now handled by ossec
- Deprecated configuration setting DENYHOSTS_SHUN_TIME
- Deprecated the old psmon template system
- Bugfix #XXX, psmon_check will no longer always report "fixed" when operating in fix mode
- Bugfix #XXX, ossec_check now counts only valid whitelist entries for the exessive whitelist check
- Bugfix #305, Retire active response from denyhosts
- Bugfix #312, ASL Web now supports the custom layout upgrades when new interface features are added.

To upgrade:
yum --enablerepo=asl-2.0-testing upgrade asl asl-web ossec-hids

Add new comment

ASL 2.2.5-0.1 Test build

Written by Scott Shinn

Monday, 08 March 2010 16:32

The first cut of ASL 2.2.5 is out in [asl-2.0-testing]. Initially I had planned to make this build all about the new dazuko module for the 2.6.32.x series kernels, but as we all know change is part of the design process. Instead there was a more pressing need for a template based configuration engine for the core utilities. The first module (seen in 0.1) has this in place on the ossec_check module. For testing purposes both methods (find & replace) and templating are still in place, which makes configuration changes completely redundant.

I assure you there is a method to this madness :P The idea was to see if we miss anything between the the two on the automated QA systems, for everyone else this will just mean that the config file for ossec (/var/ossec/etc/ossec.conf) goes through changes twice. The second time completely rewrites everything made the first time.

New features in this build include the aforementioned template engine, templates themselves are located in /var/asl/data/templates/template* and you'll see two for OSSEC, server and client. These files are intended to be modified by the end user for custom configurations. That means that directly modifying /var/ossec/etc/ossec.conf will no longer be supported.

OSSEC rules will now match brute force conditions against SMTP_AUTH, Courier IMAP and POP connections. The default policy is to respond if there are more than 10 failed connections in a 60 second period from the same IP. I suspect that this may need some additional vetting for those environments where multiple users come from the same IP. This is something we'll need some community feedback on to fine tune the rule class.

The only other change is an update to ASL Web from Jim's team to handle custom user layouts. 2.2.4 was not compatible with the custom layouts from 2.2.3 and below, this update sets ASL to just ignore a setting if it doesn't jive with the new engine. Otherwise nothing new there, although I'm hoping they can finish up a reporting module in time for 2.2.5. We'll see!

Add new comment

psa-proftpd 1.3.3

Written by Scott Shinn

Wednesday, 03 March 2010 15:53

The first cut of psa-proftpd is now up, in addition to the standard version update structurally this package has changed around a bit. Internally it looks like the SFTP code has changed around enough to either break it completely or require some changes on our side to get working again. This just goes to show that newer does not always equal better :P To upgrade:

yum --enablerepo=asl-2.0-testing upgrade psa-proftpd

The good news is that apparently some longstanding SSL/TLS integration issues with openssl that comes with EL4 and EL5 environments have been resolved. This additionally fixed an ssl related vulnerability in psa-proftpd that was *not* exploitable in a plesk environment. Regardless, it would show up as a vulnerability in a vulnerability scan and without deeper knowledge of the target system the assessor would report this as an issue (when it is in fact *NOT* vulnerable).

The other long outstanding issue is that the way this package is constructed makes it incompatible with the plesk FTP session tracking interface. This issue is still present, so there is no need to report this in the bug tracker.

Comments (1)

2.2.4, the release schedule, and more

Written by Scott Shinn

Monday, 01 March 2010 11:32

The long overdue 2.2.4 release is out with a number of ASL Web updates by popular demand. Previous versions did not give you the ability to pause the Event viewer, and in 2.2.4 you will now see a pause button "||" in the top right of the window title bar now..... aaaaand if you're using firefox the timer will honor the much venerated "<blink>" tag. For those of you using IE, I have bad news for you... not only will you not see this fabulous blinking motion in action you'll also be warned of your vulnerable browser if you're running IE 6. In other news Update buttons are now in place on the Signature's and Vulnerabilty windows, allowing you to update or fix the system directly from the GUI.

Our release schedule policy has changed, public releases for ASL will only be released on Mondays, Tuesdays, and Wednesdays. Test builds from [asl-2.0-testing] are uneffected by this policy, this only applies to general availablity releases.

The next release 2.2.5 will be focused on expanding the clamav module to handle integration with other support components, this includes the existing qmail-scanner package and the brand new kernel clamav module called dazuko. You will note that dazuko is available with the latest 2.6.32.8 kernel now. This allows us to expand clamav support to real detection of malware as it is written to the file system. It could potentially replace both the FTP and Web upload scanners, as well as cutting out the need for retroactive file system scanning. All in all a big performance increase over what has been done in the past.

Add new comment

[asl-2.0-testing] Kernel 2.6.32.8

Written by Scott Shinn

Thursday, 18 February 2010 09:48

Let it be known that this is our inaugeral Atomicorp Blog entry! We'll be migrating all our content over from both the ART and gotroot websites to Atomicorp in the coming months.

The latest ASL kernel version 2.6.32.8 is now available in the testing channel. This is the first release to include support for the dazuko clamav module from the ground up, which allows for performing clamav scanning on files when they are added or changed on the file system. This is a drastic performance increase over scheduled scanning, as well as adding a real time prevention capability to the system.

Changelog:
* Dazuko support (kmod-dazuko)
* i586 kernel packages have been deprecated, there are now only kernel.x86_64 and kernel-PAE
* kernel updated to 2.6.32.8

To upgrade (x86_64):
yum --enablerepo=asl-2.0-testing upgrade kernel

To upgrade (i386):
yum --enablerepo=asl-2.0-testing upgrade kernel-PAE

Add new comment

<< Start < Prev 1 2 3 4 5 Next > End >>

Page 5 of 5