From: Carsten Rosenberg <c.rosenberg@heinlein-support.de>
Date: Sun, 20 Jan 2019 12:40:47 +0000 (+0100)
Subject: [Minor] lua_scanners - oletools default config, detection
X-Git-Tag: 1.9.0~288^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=955142d02b401491e2797f98e18d3a347cfd3763;p=thirdparty%2Frspamd.git

[Minor] lua_scanners - oletools default config, detection
---

diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index 7ecea5dbcc..f0fdd82b45 100644
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -167,9 +167,10 @@ local function oletools_check(task, content, digest, rule)
               m_autoexec = 'A'
               table.insert(analysis_keyword_table, a.keyword)
             elseif a.type == 'Suspicious' then
-              m_suspicious = 'S'
+              if rule.extended == true then m_suspicious = 'S' end
               if a.keyword ~= 'Base64 Strings' and a.keyword ~= 'Hex Strings'
               then
+                m_suspicious = 'S'
                 table.insert(analysis_keyword_table, a.keyword)
               end
             elseif a.type == 'IOCs' then
@@ -251,11 +252,12 @@ local function oletools_config(opts)
     scan_mime_parts = false,
     scan_text_mime = false,
     scan_image_mime = false,
-    default_port = 5954,
+    default_port = 10050,
     timeout = 15.0,
     log_clean = false,
     retransmits = 2,
     cache_expire = 86400, -- expire redis in 1d
+    symbol = "OLETOOLS",
     message = '${SCANNER}: Oletools threat message found: "${VIRUS}"',
     detection_category = "office macro",
     default_score = 1,