On Friday 07 August 2015 09:48:37 Bowie Bailey wrote: > On 8/7/2015 9:20 AM, Gene Heskett wrote: > > On Friday 07 August 2015 04:46:31 Steve Basford wrote: > >> Just in case it's useful... > >> > >> ---------------------------- Original Message > >> ---------------------------- Subject: [sanesecurity] Hacking Team > >> detection > >> From: "Steve Basford" <steveb_cla...@sanesecurity.com> > >> Date: Fri, August 7, 2015 9:43 am > >> To: sanesecurity_annou...@freelists.org > >> Cc: sanesecur...@freelists.org > >> ------------------------------------------------------------------- > >>--- ---- > >> > >> Rook Security (www.rooksecurity.com) have analysed the recent > >> Hacking Team data dump (400GB) and produced a utility to scan > >> systems for these files. > >> > >> Sanesecuriy have converted their analysis into 435 hashes into > >> ClamAV database format. > >> > >> With Rook Security’s permission, I’ve placed a new database: > >> > >> hackingteam.hsb > >> > >> on the mirrors for distribution. > >> > >> Note the hashes are for Windows, Linux and Mac OSx systems. > > > > Steve: > > Thank you, but for those of us who haven't played with our > > configuration for quite a while as its been Just Working(TM) for a > > year or more, a pointer to a URL showing how to incorporate this > > into the working configs we have would be appropriate. > > If you are already using some of Sanesecurity's signatures, take a > look at the update scripts you are currently using and add > hackingteam.hsb to the list of databases. > > If not, take a look here for some scripts you can use to get the > databases: http://sanesecurity.com/usage/linux-scripts/ > > hackingteam.hsb is probably not in the config for those scripts yet, > so you'll have to add it.
I have not been able to find a list of subfiles, just a couple of mirror links in my freshclam.conf. So I have a tail on the freshclam.log, and I have changed the AllowSuplementaryGroups from false to true in my freshclam.conf. And then changed it back to false after reading the man page. We'll see what it logs when it next runs. Since I am a freeloader and extreme senior citizen on SS for income, I slowed my freshclam, down to 12x a day, so it will be nearly 2 hours before I see that result. I have even considered lowering that to 4x a day just to save the mirrors bandwidth. And just did. I added it to /etc/clamav/freshclam.conf as: ExtraDatabase hackingteam.hsb after consulting the man page, it wasn't mentioned in the default freshclam.conf at all, but on a restart of /etc/init.d/clamav-freshclam, neither the plain name, nor the .hsb version is found, as something is adding an additional .cvd to the name in the fetch command. It logged this: Fri Aug 7 12:19:35 2015 -> freshclam daemon 0.98.7 (OS: linux-gnu, ARCH: i386, CPU: i486) Fri Aug 7 12:19:35 2015 -> ClamAV update process started at Fri Aug 7 12:19:35 2015 Fri Aug 7 12:19:35 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:35 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:35 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:35 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 194.8.197.22) Fri Aug 7 12:19:35 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net Fri Aug 7 12:19:36 2015 -> Trying again in 5 secs... Fri Aug 7 12:19:41 2015 -> ClamAV update process started at Fri Aug 7 12:19:41 2015 Fri Aug 7 12:19:41 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:41 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:41 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:41 2015 -> Trying host db.us.clamav.net (128.199.133.36)... Fri Aug 7 12:19:41 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 128.199.133.36) Fri Aug 7 12:19:41 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net Fri Aug 7 12:19:41 2015 -> Trying again in 5 secs... Fri Aug 7 12:19:46 2015 -> ClamAV update process started at Fri Aug 7 12:19:46 2015 Fri Aug 7 12:19:46 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:46 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:46 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:47 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 69.163.100.14) Fri Aug 7 12:19:47 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net Fri Aug 7 12:19:47 2015 -> Trying again in 5 secs... Fri Aug 7 12:19:52 2015 -> ClamAV update process started at Fri Aug 7 12:19:52 2015 Fri Aug 7 12:19:52 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:52 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:52 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:52 2015 -> Trying host db.us.clamav.net (69.12.162.28)... Fri Aug 7 12:19:52 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 69.12.162.28) Fri Aug 7 12:19:52 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net Fri Aug 7 12:19:52 2015 -> Trying again in 5 secs... Fri Aug 7 12:19:57 2015 -> ClamAV update process started at Fri Aug 7 12:19:57 2015 Fri Aug 7 12:19:57 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:57 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:57 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:57 2015 -> Trying host db.us.clamav.net (198.148.78.4)... Fri Aug 7 12:19:57 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 198.148.78.4) Fri Aug 7 12:19:57 2015 -> ERROR: Can't download hackingteam.hsb.cvd from db.us.clamav.net Fri Aug 7 12:19:58 2015 -> Giving up on db.us.clamav.net... Fri Aug 7 12:19:58 2015 -> ClamAV update process started at Fri Aug 7 12:19:58 2015 Fri Aug 7 12:19:58 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Aug 7 12:19:58 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo) Fri Aug 7 12:19:58 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg) Fri Aug 7 12:19:58 2015 -> ERROR: Can't download hackingteam.hsb.cvd from database.clamav.net Fri Aug 7 12:19:58 2015 -> Giving up on database.clamav.net... Fri Aug 7 12:19:58 2015 -> Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. Fri Aug 7 12:19:58 2015 -> -------------------------------------- It may be that it has not made it to the u.s. mirrors yet. Or that I have no clue what I am doing. Please correct me in that event. Thank you all. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
