On Tue, 10 Aug 2004, Bart Silverstrim wrote: > > Maybe like a modified GPG-signed listserv system only on it's own "clam > update daemon" port...take a little more configuration since the people > installing clam would have to subscribe and install a GPG key or > something like that in the process, but that shouldn't be something > back-breaking to figure out.
Ok, this is turning into a scary beast. But we already have several mailing lists (clamav-users, for example) which can obviously handle a bit of a load. Might be interesting to concoct a specially-formatted message that the milter (or clamd itself) could recognize as a database update, and automatically append to its list of signatures. I'd imagine a format something like: ---gpg-cleartext-signed-message--- BEGIN clamd update 24.449 Worm.bagle.zz AAAABBBBCCCDDDDEEFEFKL.......... Worm.SkyNet.zz 111112222333344455666677........ ... END ---gpg-signature--- JDSLJGIREJIOJDGLSJLGHSLKJGLKSDJLKGJSLKJGIEJ*Y*G($Y*HHIO4k245j2jk kdjaflkjkh325hjk35h2jkhkjhjkfdhjh42jkh345jk2h35jk2hkjhjkfhjskh32 fhjkhafdjhajk53h2jk5h3j2kh35jkhfay983489527938572035230398udfsfs ---end-signature--- When scanning stuff like this, clamd could automagically decode the gpg signature and test that it is valid. If so, it looks at the sequence number (24.449 in this case). If that's the next one in the series, it appends the rules to its database. If not, it assumes it lost a message somewhere and contacts a mirror via HTTP to get main 24 and daily 449. Doing something like this would push a lot of the distribution load onto sourceforge (which seems to get messages out to this list in about 1/2 hour). The gpg-signature prevents spoofing. And the sequence numbers keep everyone current. The major problems I see are getting clamd to recognize a message targeted for it, and the obvious problems of DoS attacks (someone sending spoofed messages that would suck CPU time decoding the gpg signature). Anyway, just another wild-n-crazy idea to throw out there. I'm guessing we're better off with the current method for now, but this might be an interesting possibility for the future. [I haven't given up on DNS updates yet, but it's hard to come up with a clean way to distribute >256 bytes of data that way, which means even single rules don't always fit.] Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
