The rules are represented by such constructions as IF <conditional_part> THEN <action_part>. At that, in the part <conditional_part> the following scanning types are specified: “The variable value is (not) set” or “The variable value is (not) included in the specified set”. The part <action_part> contains a set of (at least one) actions, and each of these actions is an ultimate resolution (skip or block a scanned object), or a modifying action which looks as “Change features of the scanned object”, “Assign the set value to the specified variable” or “Add the set value to the array of values of the specified variable”.
Part of the rule actions is executed only if the conditional part is true. If the conditional part evaluates to false, the actions specified in this rule are not performed, and the program jumps to the next rule. The rules are considered vertically down until an ultimate resolution is performed. After this, all undermentioned rules (if there are any) are ignored. When a rule is executed, it is important that actions in <action_part> are performed in order of their specification from left to right, and if there is an ultimate resolution in the chain of actions that interrupts the rule handling, the rest of the actions specified in <action_part> is not performed.
Format of the rule production:
[<condition>[, <condition>[, …]]] : <action>[, <action>[, …]] |
The conditional part of the rule (before ':') can be missing, in this case a part of the actions is executed without any condition. If the conditional part of the rule is missing, the ':' separator can be omitted. The comma between conditions in the conditional part and actions in the action part performs a role of a logical conjunction (that is, “and”): the conditional part elevates to true, only if all its conditions are true, and all actions specified in the action part are performed in order of their specification from left to right until an ultimate resolution which interrupts the rule handling. In the rules the register is not important for the key words, names of variables and configuration parameters.
The following types of conditions can be used in the rules:
Condition |
Meaning of the Condition |
||
|---|---|---|---|
<variable> <value > |
The value of the specified variable coincides with the set value. Can be used only for those variables that can contain a set of values simultaneously. |
||
<variable> [not] in <set of values> |
The value of the specified variable is contained in the specified set of values (for not—does not match any value from the specified set). |
||
<variable> [not] match <set of values> |
The value of the specified variable matches any regular expression listed in the specified set (for not—does not match any expression from the specified set).
|
||
<variable> [not] gt <value> |
The value of the specified variable is (not) greater than the set value. Can be used only for those variables that can have a single value. |
||
<variable> [not] lt <value> |
The value of the specified variable is (not) less than the set value. Can be used only for those variables that can have a single value. |
*) An optional key word not means negation.
Part <set of values> to which a variable is compared can be specified in the following ways:
Syntax |
Meaning |
||
|---|---|---|---|
(<value 1>[, <value 2>[, …]]) |
In the parentheses you directly list the set of values to check against (not less then one value). In case there is only one value and the in condition is used, you can omit the parentheses (and you will end up with a case <variable> <value>). |
||
"<section>.<parameter>" |
The set of values currently assigned to a certain configuration parameter; where between the quotation marks you should specify the name of a configuration parameter whose value (or set of values) must be checked (note that you also need to specify the name of the section to which the parameter belongs). The lists of the parameters that can be used as conditions depend on the component for which the rules are set. The lists are provided below. |
||
file("<file name>") |
List of values is read from the text file <file name> (one file string—one list element, leading and trailing spaces in strings are ignored). A path to the file must be absolute. If a <file name> contains quotes and apostrophes, they must be escaped: '\'.
|
If a variable is multiple-valued, the condition <variable> in <set of values> is true, if intersection of the set of current values of the specified variable <variable> with the indicated set <set of values> is not empty. The condition not in is true in the opposite case. For example, suppose X is a variable, which the current value is a set with values a, b, c. Then
•X in (a, b) is true because values a and b are encountered in both sets;
•X in (a, d, e) is true because value a is encountered in both sets;
•X in (d, e) is false because there is no value of the variable (a, b, c) in the set (d, e).
•X in () is false as array of variable values is not empty.
•X not in () is true, the array of variable values is not empty.
•X not in (d, e) is true because there is no value of the variable (a, b, c) in the set (d, e).
•X not in (a, d, e) is false because value a is encountered in both sets.
In the description of the variables below, there is an indication for each variable whether it can adopt a set of values.
Actions are divided into ultimate resolutions that determine whether to permit passing an object; modifying resolutions that do not break scanning but fix the action to be applied to a network connection or to an object being scanned upon the acception of a resolution allowing to pass the traffic and actions that change the values of some variable that can be used when checking conditions in the underlying rules.
Ultimate Resolutions
Resolution |
Description (Meaning) |
|---|---|
Common Resolutions |
|
PASS |
Skip traffic (allow connection creation, send an object to a recipient). The downward rules (if there are any) are not used. |
BLOCK as <reason> |
Block traffic (block connection creation, send an object to a recipient). The downward rules (if there are any) are not used. A blocking <reason> is recorded in the log. The same reason is used to define a browser notification to be shown to a user. Two standard reasons can be used as <reason> for this action: •BlackList—the data is blocked because it is included in user’s black list. •_match—the block happens because a web resource or file containing threat belongs to a category that triggers rule executing (for conditions *_category in (Ξ)). The _match variable contains the list of blocked categories that matched. |
Special Resolutions for Mail Processing Rules |
|
REJECT ["<description>"] |
Reject a message (avoid receiving or sending this message). If the data is transmitted via the SMTP protocol, return the response with code SMTP 541 (permanent error). The <description> parameter is optional; it is used as the text of the response if it is set. When checking the letter received for MTA via Spamd/Rspamd interface the value of the <description> parameter will be used as a header added to the letter after informing about the verification results. |
TEMPFAIL ["<description>"] |
Return temporary failure. If the data is transmitted via the SMTP protocol, return the response with code SMTP 451 (temporary failure). The <description> parameter is optional; it is used as the text of the response if it is set. When checking the letter received for MTA via Spamd/Rspamd interface the value of the <description> parameter will be used as a header added to the letter after informing about the verification results. |
DISCARD |
Discard the message, i.e. accept it without returning the error code to the sender and delete it instead of passing to the receiver. |
Modifying Resolutions
The modifying resolutions do not interrupt the verification; they fix the actions to be applied to the data being verified upon the receipt of the PASS resolution.
Resolution |
Description |
|---|---|
REPACK [<reason>] |
Repack a message, i.e. create (on the basis of a predefined template) a new message including the content of the old one and the text informing the receiver about the threats. The unwanted message is cut and placed in a password-protected archive. The archive as added to the message and sent to the receiver as an attachment. The following repack templates are available: 1.The message has been considered spam. 2. One or more threats have been detected in the message. 3. One or more unwanted URLs have been detected in the message. 4. Security policies established by the administrator have been violated. he reason for repacking is recorded to the logs. The decision concerning what template to use for creating the notification message for the receiver is taken on the basis of this reason. The following cases can be considered reasons for repack: •as_match — the message is repacked as it is considered spam or contains a link to an unwanted web resource or a file with a threat. All the unwanted message categories are stored in the _match_ variable. Templates 1, 2, 3 are used for repacking depending upon what has been detected in the message: •if the messaged has been considered spam, template 1 is selected; •if at least one threat has been detected, template 2 is selected; •if at least one malicious of unwanted URL is detected, template 3 is selected; •if no threats were detected, template 4 is selected. •"text message" — the message has been repacked in accordance with the setting defined by the administrator. The text can contain any message from the administrator (for instance: REPACK "Virus found!"). Template 4 is used for repacking. |
ADD_HEADER("<Name>", "<Value>") |
Add the header <Name> with the value <value> and continue the verification until the resolution PASS is received. The value is converted to ASCII in accordance with RFC 2047. |
CHANGE_HEADER("<Name>", "<Value>" | _value [+ "<Value>" | _value [+ ...]]) |
Change the value of the first detected header with <Name>. The new valut is the concatenation of all values after the comma separated by the '+' sign. Each value can be represented either by a string literal in inverted commes or by the special variable _value in which the vaiue of the modified header is declared. Example: CHANGE_HEADER("Subject", "[SPAM] '" + _value + "' (do not read!)"). |
Features of handling resolutions:
•BLOCK as BlackList, always processes as “is included in a black list” (without considering the condition specified in the rules with this resolution).
•BLOCK as match, if _match is not empty, processes as “belongs to the _match category”.
•BLOCK as match, if _match is empty, processes as “is included in a black list” (without considering the condition specified in the rules with this resolution).
•If all rules have been considered, and none of the rules with resolutions performs (or the rules do not have resolutions), this situation is the same as Pass action.
Changing the Value of a Variable
To change the variable value, the following instruction is used:
SET <variable> = ([<value 1>[, <value 2>[, …]]]) |
If nothing is enclosed in brackets, the list of variable values is cleared. If there is only one value, the brackets should be omitted, that is, the following syntaxes should be used:
SET <variable> = <value > |
When indicating variables in the rules, the register of symbols is not considered. The variables with compound names could be saved using underscore for spacing or without it. Thus, the records variable_name, VariableName, and variablename represent the same variable. In this section, all variables are saved using underscore (that is, variable_name writing option is used).
Common variables
Variable |
Description |
Can be used in |
|
|---|---|---|---|
conditional part |
action part (SET) |
||
protocol |
Network protocol type, used by the connection. The variable can simultaneously contain a set of values. Allowed values: HTTP, SMTP, IMAP, POP3. Usage Aspects: •The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •It does not make sense to specify any other value except HTTP for the Dr.Web ICAPD rules: only HTTP can be specified for Dr.Web ICAPD. •A set of values for checking a variable value is available from the file. Examples: protocol in (HTTP, SMTP) |
Yes |
No |
sni_host |
SNI host (address) to which the connection is established via SSL/TLS. Usage Aspects: •If SSL is not used, the value of a variable is not defined, the condition evaluates to false. •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, for that reason the condition always evaluates to false). •A set of values for checking a variable value is available from the file. •Can be used together with the proc variable (see below). Examples: sni_host not in ('vk.com', 'ya.ru') |
Yes |
No |
sni_category |
The list of categories which the host (that is identified from the SNI-header) belongs to (according to the databases of web resource categories), for hosts to which your computer is attempting to connect over SSL/TLS. The variable can simultaneously contain a set of values. Usage Aspects: •If SSL is not used, the value of a variable is not defined, the condition evaluates to false. •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, for that reason the condition always evaluates to false). •For rules used by Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, the host does not belong to any of the predetermined categories (“safe” host). •If databases of web resource categories are not installed, the variable could not be used in rules (attempts to check if a condition in the rule is true will lead to the error x112). •A set of values for checking a variable value is available from the file. Examples: sni_category not in (AdultContent, Chats) |
Yes |
No |
url |
URL requested by the client. Can be compared with the specified string or with a regular expression. Usage Aspects: •Can be used only in rules for Dr.Web ICAPD. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. •Can be used together with the proc variable (see below). Examples: url match ("drweb.com", "example\..*", "aaa\.ru/") |
Yes |
No |
url_host |
URL/host to which the connection is established. Usage Aspects: •The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples: url_host in ('vk.com', 'ya.ru') |
Yes |
No |
url_category |
The list of categories to which the URL/host belongs. The variable can simultaneously contain a set of values. Usage Aspects: •The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •For rules used by Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, URL/host does not belong to any of the predetermined categories (“safe” URL/host). •If databases of web resource categories are not installed, the variable could not be used in rules (attempts to check if a condition in the rule is true will lead to the error x112). •A set of values for checking a variable value is available from the file. Examples: url_category not in (AdultContent, Chats) |
Yes |
No |
threat_category |
The list of categories to which the threat belongs, which is found in the transferred data (according to information from virus databases). The variable can simultaneously contain a set of values. Usage Aspects: •The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •For rules used by Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, URL/host does not belong to any of the predetermined categories (“safe” URL/host). •A set of values for checking a variable value is available from the file. Examples: |
Yes |
No |
user |
The name of the user with whose privileges the process that is sending (or receiving) the traffic has been launched. Usage Aspects: •In the Dr.Web ICAPD rules, the name of that user is implied who has authenticated on the proxy server (if the proxy server supports authentication). If the proxy server does not support user authentication, the variable has an empty value. •Dr.Web LookupD can be used to check the value of this variable. •If you need to find out whether the user belongs to a certain user group, use an LDAP or an Active Directory data source that returns a list of groups and specify the name of the required group (for which you want to know whether the user is its member or not). Use the following format: <type of the source for LookupD>@<source of groups>@<required group>. Requests to Active Directory (AD@) return only lists of groups, therefore for these requests it is mandatory to use the @<required group> part. •A set of values for checking a variable value is available from the file. Examples: user in ('user1', 'user2') |
Yes |
No |
src_ip |
The IP address of a host establishing the connection. Usage Aspects: •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples: src_ip not in (127.0.0.1, 10.20.30.41, 198.126.10.0/24) |
Yes |
No |
proc |
The process establishing the connection (the full executable path). Usage Aspects: •It does not make any sense to use it for the Dr.Web ICAPD rules (the component does not contain information about processes, for that reason the condition always evaluates to false). •A set of values for checking a variable value is available from the file. •Can be used together with the variables: sni_host, url, and dst_address . Examples: proc in ('/usr/bin/ls') |
Yes |
No |
direction |
The type of traffic on the connection. Allowed values: request (client request), response (server reply). This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied. Examples: direction request |
Yes |
No |
divert |
The direction of the connection. Allowed values: input (incoming—created/initiated from outside the local host), output (outgoing—created/initiated on the local host). This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied. Examples: divert input |
Yes |
No |
content_type |
MIME type of data transferred during connection. Usage Aspects: •Can be defined if only SSL/TLS is not used or it was allowed to unwrap SSL. •The expression “*/*” matches data of any MIME type and HTTP replies without the header Content-Type. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples: content_type in ("multipart/byteranges", "application/octet-stream") |
Yes |
No |
(proc, <variable>) |
Network activity of the process, where proc is the full process executable path (see above), and <variable> defines type of the activity and can be one of the following values: •sni_host—SNI host (address), with which the connection is established via SSL/TLS. •url—URL requested by a client (see above). •dst_address—network address (<IP address>:<port>), with which the process establishes the connection. Usage Aspects: •Using only with the condition match ({<Proc_reg>, <Var_reg>}[, …]), where <Proc_reg> is a regular expression for proc, and <Var_reg> is a regular expression for <variable>. •It does not make any sense to use it for the Dr.Web ICAPD rules (the component does not contain information about processes, for that reason the condition always evaluates to false). Examples: (proc, url) match ({"/usr/bin/wget", "www\.ya\.*"}) |
Yes |
No |
unwrap_ssl |
Whether the traffic transferred via SSL/TLS is unwrapped. Allowed values: true, false. Usage Aspects: •The variable always has any value. The instruction SET unwrap_ssl = () is impossible. •The variable cannot be used as a condition. It is necessary only to control SSL unwrapping (for example, to display a webpage containing notification about blocking triggered by our side). •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, changing of the variable does not influence rule processing). Examples: SET unwrap_ssl = TRUE |
No |
Yes |
http_templates_dir |
The path to the directory where the notification page template on blocking HTTP request is stored. If the path starts with a / (forward slash), it is an absolute path; if it starts with any other symbol, then it is a relative path. In the latter case it is given relative to the directory specified in the TemplatesDir parameter. Usage Aspects: •It is useful only for the HTTP(S) protocol. Examples: SET http_templates_dir = "/etc/mytemplates" |
No |
Yes |
Variables used in mail processing rules
Variable |
Description |
Can be used in |
|
|---|---|---|---|
conditional part |
action part (SET) |
||
header |
The contents of the headers part of the message. Usage Aspects: •It is used to compare the headers part of the message with the list of the predefined templates (regular expressions are used). •Any part of the text content of the message body can be checked. •The comparison is not case-sensitive; it is allowed to use Unicode. •A set of values for checking a variable value is available from the file. Examples: header match ("su..ect: sp.m", "From: sales.*@.*") |
Yes |
No |
body |
The text content of the message body Usage Aspects: •It is used to compare the message body with the list of the predefined templates (regular expressions are used). •Any of the headers in the message can be checked. •The comparison is not case-sensitive; it is allowed to use Unicode. •A set of values for checking a variable value is available from the file. Examples: body match ("in.prtc[lr]") |
Yes |
No |
body_part_header |
Part headers in the message body (MIME part). Usage Aspects: • It is used to compare the part headers in the body of messages with the list of predefined templates (regular expressions are used). •The headers of any part of the message body can be checked. •The comparison is not case-sensitive; it is allowed to use Unicode. •A set of values for checking a variable value is available from the file. Examples: body_part_header match ('Content-Disposition: attachment; .*filename="вирус.exe"') |
Yes |
No |
attachment_name |
Names of files attached to the message Usage Aspects: •It is used to compare the list of the files attached to the message (Content-Disposition: attachment) with the list of predefined templates (regular expression are used). •The comparison is not case-sensitive; it is allowed to use Unicode. •A set of values for checking a variable value is available from the file. Examples: attachment_name match ("\.ex.$", "\.js$", "^virus.*") |
Yes |
No |
total_spam_score |
The normalized spam score of the message (from 0 to 1) received from Dr.Web ASE. The spam score received from Dr. Web ASE is normalized according to the following rules: 1.0 or less spam points — 0.0; 2.100 points — 0.8; 3.1000 and more spam points — 1.0. The spam score increases within the specified intervals. Usage Aspects: •The value of this variable is a number, it has only one meaning and can be used with the lt and gt conditions only. •If the Dr.Web ASE component is not installed, the messages are not checked for spam and the total_spam_score variable cannot be used in the rules (any try to check the condition in the rule will cause the error "Dr.Web ASE is not available". Examples: total_spam_score gt 0.32 |
Yes |
No |
smtp_mail_from |
The address of the message sender transmitted by the MAIL FROM command during an SMTP session. Usage Aspects: •It is used to compare the sender's name specified during the SMTP session with the list of predefined templates (regular expressions are used). •The comparison is not case-sensitive. •This variable cannot be used in Spamd rules as this protocol does not provide information about the message sender. •A set of values for checking a variable value is available from the file. Examples: smtp_mail_from match ("^john@.*", ".*@domain.com$") |
Yes |
No |
smtp_rcpt_to |
The list of message recipients' addresses transmitted by the RCPT TO command during an SMTP session. Usage Aspects: • It is used to compare the recipients' names specified during the SMTP session with the list of predefined templates (regular expressions are used). •The comparison is not case-sensitive. •This variable cannot be used in Spamd rules as this protocol does not provide information about the message recipient. •If all is specified before match, the condition containing this variable can be true only if all the values from the list match the specified templates. •A set of values for checking a variable value is available from the file. Examples: smtp_rcpt_to match ("^user1@domain.com$", ".*@domain2.com$") |
Yes |
No |
maild_templates_dir |
The path to the template used for repacking email messages. If the path begins with / , it is absolute; if it begins with any other character, it is relative. The path from the TemplatesDir parameter is considered root. Usage Aspects: •This variable can be used only for mail protocols (POP3, IMAP, SMTP) and MTA interfaces (Milter, Spamd, Rspamd). Примеры: SET maild_templates_dir = "/etc/my_mail_templates" |
No |
Yes |
Categories of unwanted websites and threats
1.Categories of unwanted websites (for the variables sni_category, url_category)
Convention |
Website category |
|---|---|
InfectionSource |
Websites containing malicious software (“infection sources”). |
NotRecommended |
Fraudulent websites (that use “social engineering”) visiting which is not recommended. |
AdultContent |
Websites that contain pornographic or erotic materials, dating sites, and so on. |
Violence |
Websites that encourage violence or contain materials about various fatal accidents, and so on. |
Weapons |
Websites that describe weapons and explosives or provide information on their manufacturing. |
Gambling |
Websites that provide access to online games of chance, casinos, auctions, including sites for placing bets, and so on. |
Drugs |
Websites that promote use, production or distribution of drugs, and so on. |
ObsceneLanguage |
Websites that contain the obscene language (in titles, articles, and so on). |
Chats |
Websites that offer a real-time transmission of text messages. |
Terrorism |
Websites that contain aggressive and propaganda materials or terroristic attacks descriptions, and so on. |
FreeEmail |
Websites that offer the possibility of free registration of an email box. |
SocialNetworks |
Different social networking services: general, professional, corporate, interest-based; thematic dating websites. |
DueToCopyrightNotice |
Websites, links to which are defined by the copyright holders of some copyrighted work (movies, music, and so on). |
OnlineGames |
Websites that provide access to games using the permanent Internet connection. |
Anonymizers |
Websites that allow the user to hide personal information and providing the access to the blocked web resources. |
CryptocurrencyMiningPool |
Websites that provide an access to common services for cryptocurrencies mining. |
Jobs |
Job search websites. |
As values of the variables sni_category and url_category, it is also possible to use names of the parameters that control blocking (see below).
2.Threat categories (for the threat_category variable)
Convention |
Threat categories |
|---|---|
KnownVirus |
Known threat (virus). |
VirusModification |
Modification of the known threat (virus). |
UnknownVirus |
Unknown threat, suspicious object. |
Adware |
Adware. |
Dialer |
Dialer. |
Joke |
Joke. |
Riskware |
Riskware. |
Hacktool |
Hacktool. |
As a value of the variable threat_category, it is also possible to use names of the parameters that control blocking (see below).
Configuration parameters that can be used in rule conditions
Parameters used in the component rules of Dr.Web ICAPD (indicated with the prefix ICAPD.):
Parameter |
Description and Usage Example |
|---|---|
Whitelist |
White list contains the list of domains, the access to which is allowed, even if these domains are included in the database of categories. Examples: url_host not in "ICAPD.Whitelist" : Block as BlackList |
Blacklist |
Black list contains the list of domains, the access to which is blocked by the user (or the administrator). Examples: url_host in "ICAPD.Blacklist" : Block as BlackList |
Adlist |
Advertisement list. Contains a list of regular expressions that describe advertising websites. The list is defined by the user (or administrator). Examples: url match "ICAPD.Adlist" : Block as BlackList |
BlockCategory |
“Meta-parameter”: its value is a list of names of those web resource categories (Chats, AdultContent, and so on) for which the corresponding Block* parameters in the [<%ICAP_SECTION%>] section are set to Yes. Examples: url_category in "ICAPD.BlockCategory" : Block as _match |
BlockThreat |
“Meta-parameter”: its value is a list of names of those threat types (KnownVirus, Joke, and so on) for which the corresponding Block* parameters in the [<%ICAP_SECTION%>] section are set to Yes. Examples: threat_category in "ICAPD.BlockThreat" : Block as _match |