↑ Return to Support

Print this Page

Documentation

 

Here's some brief documentation:

Signature making method used: method.pdf based on ClamAV signature docs

 

Signature making Example (using ClamAV Extended Database Format .NDB)

 

SaneSecurity.Phishing.Auction.2099:3:*:
656261792073656e742074686973206d65737361676521
 
SaneSecurity.Phishing.Auction SaneSecurity Header
.2099 Database Line number 
:3 :FileType:0 = any file
3 = HTML (normalised)
4 = Mail file
7 = ASCII text file (normalised)
:* Anywhere in file
:656261792073656e742074686973206d65737361676521 Hex of the Phishing email,
to match:
Eg: ebay_sent this message!


Current SaneSecurity signature meanings:

SaneSecurity Signature meanings (phish.ndb)
Sanesecurity.Doc Fake phishing documents
Sanesecurity.Fake Fake emails from companies/spear phishing
Sanesecurity.Phishing.Auction Phishing emails from Ebay
Sanesecurity.Phishing.Azon Phishing emails from Amazon
Sanesecurity.Phishing.Bank Phishing emails from Banks
Sanesecurity.Phishing.Card Phishing Postcards
Sanesecurity.Phishing.Cur Simple phishing heuristics based on headers/urls and content
Sanesecurity.Phishing.Dca Html based doubleclick revenue link
Sanesecurity.Phishing.Fake Fake emails from companies/spear phishing
Sanesecurity.Phishing.GiftCard Phishing Postcards
Sanesecurity.Phishing.Hex Simple Heuristics based hex urls
Sanesecurity.Phishing.Ivt Html based invalid tags
Sanesecurity.Phishing.Jsc Html based
Sanesecurity.Phishing.Nam Html based common fake html editor
Sanesecurity.Phishing.Onf Html based
Sanesecurity.Phishing.Pay Phishing emails from PayPal
Sanesecurity.Phishing.Rdi Phishing redirects
Sanesecurity.Phishing.Rock Phishing emails generated with the rockfish toolkit
Sanesecurity.Phishing.RockGen Phishing emails generated with the rockfish toolkit
Sanesecurity.Phishing.Shop Phishing emails for shops
Sanesecurity.Phishing.Slw Html based
Sanesecurity.Phishing.Url Url based phishing detection
Sanesecurity.Phishing.Wrd Fake phishing documents
Sanesecurity.PhishingTestSig Sanesecurity Test Signature
TestSig_Type3_Bdy Sanesecurity Test Signature
TestSig_Type4_Bdy Sanesecurity Test Signature
TestSig_Type4_Hdr Sanesecurity Test Signature

 

SaneSecurity Signature meanings (scam.ndb)
Sanesecurity.Spam General high hitting spam
Sanesecurity.Spam  
Sanesecurity.Cred  
Sanesecurity.Dipl  Diploma scams
Sanesecurity.Hdr  Spam based on fake headers
Sanesecurity.Img  Image Spam
Sanesecurity.Job  Job scams
Sanesecurity.Loan  Loan Scams
Sanesecurity.Porn  Porn Spam
Sanesecurity.ImgO  OEM Image scams/spam
Sanesecurity.Scam4  419 scams
Sanesecurity.ScamL  Lottery scams
Sanesecurity.Stk  Stock scams
Sanesecurity.TestSig  Sanesecurity test signature

 

SaneSecurity Signature meanings (junk.ndb)
Sanesecurity.Junk General high hitting junk, containing spam/phishing/lottery/jobs etc.

 

SaneSecurity Signature meanings (rogue.hdb)
Sanesecurity.Rogue Rogue anti-virus software
Sanesecurity.Trojan Fake codecs or other malware

 

SaneSecurity Signature meanings (lott.ndb)
Sanesecurity.Lott Fake Lottery companys, prizes and winnings.

 

SaneSecurity Signature meanings (spear.ndb)
Sanesecurity.Spear Spear phishing email addresses (autogenerated from data here)

 

SaneSecurity Signature meanings (spamimg.hdb)
Sanesecurity.SpamImg Spam images

 

SaneSecurity Signature meanings (spam.ldb)
Sanesecurity.Spam.ldb Spam detected using the new Logical Signature type.

 

Disclaimer:

Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.

Permanent link to this article: http://sanesecurity.org/support/documentation/