<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">Da wird uns der Carsten bestimmt helfen! :-)</span><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">/etc/olefy.conf:</div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># olefy socket Configuration file </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_BINDADDRESS</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=127.0.0.1</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_BINDPORT</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=10050</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># systemd PrivateTmp is used. The path will be /tmp/systemd....olefy.../tmp </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_TMPDIR</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=/tmp</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># no command line options allowed here </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">OLEFY_PYTHON_PATH</span><span class="" style="font-variant-ligatures: no-common-ligatures;">=/usr/bin/python3</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># no command line options allowed here </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">OLEFY_OLEVBA_PATH</span><span class="" style="font-variant-ligatures: no-common-ligatures;">=/usr/local/bin/olevba3</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># 10:DEBUG, 20:INFO, 30:WARNING, 40:ERROR, 50:CRITICAL </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_LOGLVL</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=30</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># olefy will do nothing with files under MINLENGTH characters </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_MINLENGTH</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=500</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25); min-height: 16px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># 0 - do not delete tmp files, 1 - delete tmp files </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># regardless this setting systemd will restart the service all 4h </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(227, 53, 35); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"># and creates a new PrivateTmp </span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">OLEFY_DEL_TMP</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">=1</span></div></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">/etc/rspamd/local.d/external_services.conf:</div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(58, 166, 41); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">oletools</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> {</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(181, 50, 131); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> </span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">servers</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> = </span><span class="" style="font-variant-ligatures: no-common-ligatures;">"127.0.0.1:10050"</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(181, 50, 131); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> </span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">action</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> = </span><span class="" style="font-variant-ligatures: no-common-ligatures;">"reject"</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);">;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"> </span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">max_size</span><span class="" style="font-variant-ligatures: no-common-ligatures;"> = 20000000;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"> </span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">log_clean</span><span class="" style="font-variant-ligatures: no-common-ligatures;"> = true;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> </span><span class="" style="font-variant-ligatures: no-common-ligatures;">cache_expire</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> = 86400;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(211, 115, 38); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> </span><span class="" style="font-variant-ligatures: no-common-ligatures;">scan_mime_parts</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(102, 255, 102);"> = true;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"> </span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(211, 115, 38);">extended</span><span class="" style="font-variant-ligatures: no-common-ligatures;"> = false;</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;">}</span></div></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Der Dienst läuft und olevba3 funktioniert wie im Eingangsposting zu sehen:</div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo; color: rgb(102, 255, 102); background-color: rgb(25, 25, 25);"><span class="" style="font-variant-ligatures: no-common-ligatures;"> 7138 ? Ss 0:00 /usr/bin/python3 /usr/local/bin/</span><span class="" style="font-variant-ligatures: no-common-ligatures; color: rgb(247, 158, 150);"><b class="">ole</b></span><span class="" style="font-variant-ligatures: no-common-ligatures;">fy.py</span></div></div><div><br class=""></div><div><br class=""></div><div><br class=""></div><div><br class=""></div><div>Viele Grüße! Frank</div><div><br class=""></div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">Am 26.11.2019 um 15:46 schrieb Frank Fiene <<a href="mailto:ffiene@veka.com" class="">ffiene@veka.com</a>>:</div><br class="Apple-interchange-newline"><div class=""><div class="">Ich habe mal wieder ein Problem.<br class=""><br class="">Heute ist mal wieder eine Word-Datei durchgerutscht und ich weiß nicht, ob meine oletools und olefy korrekt mit rspamd funktionieren.<br class=""><br class="">Wenn ich die Datei auf den Mailserver kopiere und mit olevba3 analysiere, erscheint:<br class=""><br class="">+------------+--------------+-----------------------------------------+<br class="">| Type | Keyword | Description |<br class="">+------------+--------------+-----------------------------------------+<br class="">| Suspicious | Open | May open a file |<br class="">| Suspicious | Output | May write to a file (if combined with |<br class="">| | | Open) |<br class="">| Suspicious | Print # | May write to a file (if combined with |<br class="">| | | Open) |<br class="">| Suspicious | MkDir | May create a directory |<br class="">| Suspicious | CreateObject | May create an OLE object |<br class="">| Suspicious | CallByName | May attempt to obfuscate malicious |<br class="">| | | function calls |<br class="">| Suspicious | Chr | May attempt to obfuscate specific |<br class="">| | | strings (use option --deobf to |<br class="">| | | deobfuscate) |<br class="">+------------+--------------+-----------------------------------------+<br class=""><br class=""><br class="">Das sollte also eigentlich blockiert werden, korrekt?<br class="">Virustotal sagt mir dasselbe.<br class=""><br class="">Wo fange ich mit dem Debuggen an?<br class=""><br class=""><br class=""><br class="">Viele Grüße!<br class="">Frank<br class="">-- <br class="">Frank Fiene<br class="">IT-Security Manager VEKA Group<br class=""><br class="">Fon: +49 2526 29-6200<br class="">Fax: +49 2526 29-16-6200<br class="">mailto: <a href="mailto:ffiene@veka.com" class="">ffiene@veka.com</a><br class=""><a href="http://www.veka.com" class="">http://www.veka.com</a><br class=""><br class="">PGP-ID: 62112A51<br class="">PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51<br class="">Threema: VZK5NDWW<br class=""><br class="">VEKA AG<br class="">Dieselstr. 8<br class="">48324 Sendenhorst<br class="">Deutschland/Germany<br class=""><br class="">Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),<br class="">Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,<br class="">Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer<br class="">HRB 8282 AG Münster/District Court of Münster<br class=""><br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Viele Grüße!<br class="">i.A. Frank Fiene<br class="">-- <br class="">Frank Fiene</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">IT-Security Manager VEKA Group</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="">Fon: +49 2526 29-6200<br class="">Fax: +49 2526 29-16-6200<br class="">mailto: <a href="mailto:ffiene@veka.com" class="">ffiene@veka.com</a><br class=""><a href="http://www.veka.com" class="">http://www.veka.com</a><br class=""><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">PGP-ID: 62112A51<br class="">PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Threema: VZK5NDWW<br class=""><br class="">VEKA AG<br class="">Dieselstr. 8<br class="">48324 Sendenhorst<br class="">Deutschland/Germany<br class=""><br class="">Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),<br class="">Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,<br class="">Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer<br class="">HRB 8282 AG Münster/District Court of Münster</div></div></div></div></div></div></div></div>
</div>
<br class=""></body></html>