virus_blacklist 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/virus_blacklist.rb +60 -0
- metadata +61 -0
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
require 'dnsruby'
|
|
2
|
+
|
|
3
|
+
# CYMRU publishes the MD5 hashes of known viruses as DNS records, which is perfect for us. In short:
|
|
4
|
+
# You get 127.0.0.1 back if the file is in their registry and marked as safe.
|
|
5
|
+
# You get 127.0.0.2 back if the file is in their registry and marked as unsafe.
|
|
6
|
+
# You get NXDOMAIN if the file isn't in their registry at all.
|
|
7
|
+
# You may also get no reply if you're being rate limited.
|
|
8
|
+
# See http://www.team-cymru.org/Services/MHR/ for more info on this service.
|
|
9
|
+
|
|
10
|
+
module VirusBlacklist
|
|
11
|
+
|
|
12
|
+
include Dnsruby
|
|
13
|
+
extend self
|
|
14
|
+
|
|
15
|
+
def resolver
|
|
16
|
+
# Our default query_timeout is pretty aggressive. You might want to wait longer, depending
|
|
17
|
+
# on the application.
|
|
18
|
+
@resolver ||= Dnsruby::Resolver.new(:query_timeout => 2) # Only waits for 2 seconds
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
# For testing, use md5 = "733a48a9cb49651d72fe824ca91e8d00" which should get marked as a known virus.
|
|
22
|
+
# That example is directly from their documentation on the service.
|
|
23
|
+
|
|
24
|
+
def scan(md5)
|
|
25
|
+
unless md5.match(/\A[a-f0-9]{32}\z/i)
|
|
26
|
+
# MD5s are exactly 32 hex characters.
|
|
27
|
+
raise ArgumentError, "Invalid MD5 value (" + md5 + "). MD5s contain exactly 32 hexadecimal digits."
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
begin
|
|
31
|
+
case resolver.query(md5.downcase + ".malware.hash.cymru.com", Types.A).answer[0].address.to_s
|
|
32
|
+
when /\A127\.0\.0\.1\z/
|
|
33
|
+
return :safe
|
|
34
|
+
when /\A127\.0\.0\.2\z/
|
|
35
|
+
return :unsafe
|
|
36
|
+
else
|
|
37
|
+
return :unknown
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
rescue Exception => e
|
|
41
|
+
puts e.message
|
|
42
|
+
return :error
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def is_ok?(md5)
|
|
47
|
+
# Unfortunately, we're limited by the fact that this is a blacklist and that there's
|
|
48
|
+
# no way to whitelist every possible benign file. So we consider it safe if it's
|
|
49
|
+
# not known to be bad. That doesn't matter much, because it's also trivial to change
|
|
50
|
+
# any unimportant part of a malicious file, which will change its hash. So this is poor
|
|
51
|
+
# security, but it's the best we can do.
|
|
52
|
+
|
|
53
|
+
if scan(md5) == :unsafe
|
|
54
|
+
return false
|
|
55
|
+
else
|
|
56
|
+
return true
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: virus_blacklist
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
prerelease:
|
|
6
|
+
platform: ruby
|
|
7
|
+
authors:
|
|
8
|
+
- Matt Venzke
|
|
9
|
+
autorequire:
|
|
10
|
+
bindir: bin
|
|
11
|
+
cert_chain: []
|
|
12
|
+
date: 2012-07-08 00:00:00.000000000 Z
|
|
13
|
+
dependencies:
|
|
14
|
+
- !ruby/object:Gem::Dependency
|
|
15
|
+
name: dnsruby
|
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
|
17
|
+
none: false
|
|
18
|
+
requirements:
|
|
19
|
+
- - ~>
|
|
20
|
+
- !ruby/object:Gem::Version
|
|
21
|
+
version: '1.5'
|
|
22
|
+
type: :runtime
|
|
23
|
+
prerelease: false
|
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
+
none: false
|
|
26
|
+
requirements:
|
|
27
|
+
- - ~>
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: '1.5'
|
|
30
|
+
description: A simple interface for the CYMRU DNS-based virus blacklist.
|
|
31
|
+
email: mvenzke@gmail.com
|
|
32
|
+
executables: []
|
|
33
|
+
extensions: []
|
|
34
|
+
extra_rdoc_files: []
|
|
35
|
+
files:
|
|
36
|
+
- lib/virus_blacklist.rb
|
|
37
|
+
homepage: https://github.com/Qsario/virus_blacklist
|
|
38
|
+
licenses: []
|
|
39
|
+
post_install_message:
|
|
40
|
+
rdoc_options: []
|
|
41
|
+
require_paths:
|
|
42
|
+
- lib
|
|
43
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
44
|
+
none: false
|
|
45
|
+
requirements:
|
|
46
|
+
- - ! '>='
|
|
47
|
+
- !ruby/object:Gem::Version
|
|
48
|
+
version: '0'
|
|
49
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
50
|
+
none: false
|
|
51
|
+
requirements:
|
|
52
|
+
- - ! '>='
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
55
|
+
requirements: []
|
|
56
|
+
rubyforge_project:
|
|
57
|
+
rubygems_version: 1.8.24
|
|
58
|
+
signing_key:
|
|
59
|
+
specification_version: 3
|
|
60
|
+
summary: Interface for CYMRU DNS-based virus blacklist.
|
|
61
|
+
test_files: []
|