Return to Usage

Signatures

Some of download scripts, as well as downloading the Sanesecurity signatures can also download other Third-Party databases.

The following tables contains a brief list of all Third-Party databases, their brief description and also my opinion on their approximate false positive risk, but your mileage may vary.

It’s also recommended, especially on the high risk groups, to score the detections, instead of an outright block and it’s down to each signature user, to determine their detection rate vs false positive rate for each group.

Any false positives will normally be fixed by each signature producer.

The following databases are distributed and produced by Sanesecurity:

Database Name
Description
FP Risk
junk.ndb General high hitting junk, containing spam/phishing/lottery/jobs/419s etc.
Low
jurlbl.ndb Junk Url based
Low
jurlbla.ndb Junk Url based autogenerated from various feeds
Med
lott.ndb Lottery
Med
phish.ndb Phishing and Malware
Low
rogue.hdb Malware, Rogue anti-virus software and Fake codecs etc. Updated hourly to cover the latest malware threats
Please send any Undetected virus samples to
Low
sanesecurity.ftm Message file types (REQUIRED for best performance)
sigwhitelist.ign2 Fast update file to whitelist any problem signatures (REQUIRED 0.96rc1+)
scam.ndb Spam/scams
Low
spam.ldb Spam detected using the new Logical Signature type
Med
spamimg.hdb Spam images
Low
spamattach.hdb Spam Spammed attachments such as pdf’s/docs/rtf/zips
Low
spear.ndb Spear phishing email addresses (autogenerated from data here)
Med
spearl.ndb Spear phishing urls (autogenerated from data here)
Med
blurl.ndb Blocklisted full urls over the last 7 days, covering malware/spam/phishing. URL’s added only when main signatures have failed to detect but are known to be “bad”. Low
foxhole_generic.cdb See Foxhole page for more details Low
foxhole_filename.cdb See Foxhole page for more details Low
foxhole_js.cdb See Foxhole page for more details
Med
foxhole_js.ndb See Foxhole page for more details
Med
foxhole_all.cdb See Foxhole page for more details High
foxhole_all.ndb See Foxhole page for more details High
foxhole_mail.cdb See Foxhole page for more details High
malwarehash.hsb Malware hashes without known Size Low
hackingteam.hsb Hacking Team hashes converted to ClamAV format (based on work by rooksecurity.com) Low
badmacro.ndb Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents, Med
shelter.ldb Phishing and Malware Med
Sanesecurity_sigtest.yara Yara format: Signature test Low
Sanesecurity_spam.yara Yara format: Detects Spam emails Low


The following databases are distributed by Sanesecurity, but produced by OITC

Database Name
Description
FP Risk
winnow_malware.hdb Current virus, trojan and other malware not yet detected by ClamAV. Undetected virus samples can be sent to virus_samples@oitc.com
Low
winnow_malware_links.ndb Links to malware
Low
winnow_spam_complete.ndb Signatures to detect fraud and other malicious spam
Med
winnow_phish_complete.ndb Phishing and other malicious url’s and compromised hosts
High
winnow_phish_complete_url.ndb Similar to winnow_phish_complete.ndb except that entire urls’s are used
Med
winnow.complex.patterns.ldb contain hand generated signatures for malware and some egregious fraud
Med
winnow_extended_malware.hdb contain hand generated signatures for malware.
Low
winnow_extended_malware_links.ndb contain hand generated signatures for malware links.
Med
winnow.attachments.hdb Spammed attachments such as pdf’s/docs/rtf/zips
Low
winnow_bad_cw.hdb md5 hashes of malware attachments acquired directly from a group of botnets Low
Note: the two databases winnow_phish_complete.ndb and winnow_phish_complete_url.ndb shouldn’t be used together.

The following databases are distributed by Sanesecurity, but produced by MiscreantPunch

Database Name
Description
FP Risk
MiscreantPunch099-Low.ldb ruleset contains comprehensive rules for detecting malicious or abnormal Macros, JS, HTA, HTML, XAP, JAR, SWF, and more.
Med
MiscreantPunch099-INFO-Low.ldb ruleset provides context to various files. Info and Suspicious level signatures may inform analysts of potentially interesting conditions that exist within a document. High


The following databases are distributed by Sanesecurity, but produced by bofhland

Database Name
Description
FP Risk
bofhland_cracked_URL.ndb Spam URLs
Low
bofhland_malware_URL.ndb Malware URLs
Low
bofhland_phishing_URL.ndb Phishing URLs
Low
bofhland_malware_attach.hdb Malware Hashes Low

The following databases are distributed by Sanesecurity, but produced by Porcupine Signatures

Database Name
Description
FP Risk
porcupine.ndb Brazilian e-mail phishing and malware signatures.
Low
phishtank.ndb Online and valid phishing urls from phishtank.com data feed.
Low
porcupine.hsb Sha256 Hashes of VBS and JSE malware,kept for 7 days
Low

Disclaimer:

Whilst every effort has been made by Sanesecurity to ensure that the signatures don’t lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.

Permanent link to this article: https://sanesecurity.com/usage/signatures/

Leave a Reply