Hi,
On Tue, Sep 6, 2016 at 8:57 AM, Merijn van den Kroonenberg
<mer...@web2all.nl> wrote:
> Hello List,
>
> I decided to publish a SA Plugin we use over here.
> The Plugin will check if attachments with a certain file extension are
> present in the mail. This can be either directly attached or inside a zip
> archive.
>
> It only supports zip and no other archive types (yet).
>
> Its useful to create scoring or combination rules on the presence of
> certain filetypes.
>
> Example rules:
>
> body __HAS_FILES eval:attachmentpresent_file_count()
> describe __HAS_FILES The e-mail has attached files (or inside archives)
>
> body HAS_JS_FILES eval:attachmentpresent_file_count('js')
> describe HAS_JS_FILES The e-mail has attached javascript files (or inside
> archives)
> score HAS_JS_FILES 2.5
>
> body HAS_DOCM_FILES eval:attachmentpresent_file_count('docm')
> describe HAS_DOCM_FILES The e-mail has attached docm files (or inside
> archives)
> score HAS_DOCM_FILES 2.0
>
> body HAS_HTA_FILES eval:attachmentpresent_file_count('hta')
> describe HAS_HTA_FILES The e-mail has attached hta files (or inside archives)
> score HAS_HTA_FILES 2.5
>
> body HAS_WSF_FILES eval:attachmentpresent_file_count('wsf')
> describe HAS_WSF_FILES The e-mail has attached wsf files (or inside archives)
> score HAS_WSF_FILES 2.5
>
> body HAS_VBS_FILES eval:attachmentpresent_file_count('vbs')
> describe HAS_VBS_FILES The e-mail has attached vbs files (or inside archives)
> score HAS_VBS_FILES 2.5
This looks very interesting. The scores you've specified seem to be
quite high, however. I'd probably make them much lower.
Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?
Thanks,
Alex
