Appendix A. Traffic Checking Rules

The rules are represented by production rules such as IF <condition> THEN <action>. At that, in the part <condition> the following scanning types are specified: “The variable value is (not) set” or “The variable value is (not) included in the specified set”. The part <action> contains ultimate resolution (skip or block traffic), or an action such as “Assign a value to the variable” or “Add specified value to the set of variable values”.

The <action> part of the rule is executed, only if the <condition> part evaluates to true. If the <condition> part evaluates to false, the action is not performed, and the program jumps to the next rule. The rules are considered downwardly until any of the ultimate resolutions is performed. After this, all lower rules are ignored.

Rule Format

Format of the rule production

[<condition>[, <condition>[, ...]]] : <action>

The conditional part of the rule (before ':') can be missing, in this case the <action> part is executed without any condition. If the conditional part of the rule is missing, the ':' separator can be omitted. The comma between conditions in the conditional part performs a role of a logical conjunction (that is, “and”), and the conditional part elevates to true, only if all its conditions are true. In the rules the register is not important for the key words, names of variables and configuration parameters.

Conditions

The following types of conditions can be use in the conditional part of the rules:

Condition

Meaning of the Condition

<variable> <value >

The value of the specified variable coincides with the set value.

Can be used only for those variables that can contain a set of values simultaneously.

<variable> [not] in <set of values>

The value of the specified variable is contained in the specified set of values (for not—does not match any value from the specified set).

<variable> [not] match <set of values>

The value of the specified variable matches any regular expression listed in the specified set (for not—does not match any expression from the specified set).

info

Regular expressions are specified using either the POSIX syntax (BRE, ERE) or the Perl syntax (PCRE, PCRE2).

<variable> [not] gt <value>

The value of the specified variable is (not) greater than the set value.

Can be used only for those variables that can have a single value.

<variable> [not] lt <value>

The value of the specified variable is (not) less than the set value.

Can be used only for those variables that can have a single value.

*) An optional key word not means negation.

Part <set of values> to which a variable is compared can be specified in the following ways:

Syntax

Meaning

(<value 1>[, <value 2>[, ...]])

In the parentheses you directly list the set of values to check against (not less then one value). In case there is only one value and the in condition is used, you can omit the parentheses (and you will end up with a case <variable> <value>).

"<section>.<parameter>"

The set of values currently assigned to a certain configuration parameter; where between the quotation marks you should specify the name of a configuration parameter whose value (or set of values) must be checked (note that you also need to specify the name of the section to which the parameter belongs).

The lists of the parameters that can be used as conditions depend on the component for which the rules are set. The lists are provided below.

file("<file name>")

List of values is read from the text file <file name> (one file string—one list element, leading and trailing spaces in strings are ignored). A path to the file must be absolute. If a <file name> contains quotes and apostrophes, they must be escaped: '\'.

info

The file size must not exceed 64 MB.

The file contents are read and inserted into the rules once, during Dr.Web for UNIX Internet Gateways is starting up. If there is no file or the file size is exceeded, an error x102 appears.

In case the file contents are changed during the process, in order to apply all changes, you should restart Dr.Web for UNIX Internet Gateways after the changes are saved.

A set of values from the file is not available for all variables. Whether you can use a variable to scan its value by using a set of values from the file is indicated below.

<type_of_LOOKUP_request>@<tag>[@<value>]

A set of values is requested via Dr.Web LookupD from an external data source (LDAP, ActiveDirectory), where <LOOKUP_request_type> is the type of the data source used (LDAP or AD); <tag> is a section name describing the connection that is used to sample the data, and <value> (optional) is a value that must be contained in the set of values retrieved from the data source.

info

Values from Dr.Web LookupD are not available for all variables. Also, the condition <scanning> cannot be applied to all variables. Whether you can use a variable to scan its value by using Dr.Web LookupD is indicated below.

Actions

The actions can be divided into ultimate resolutions, defining whether the traffic is blocked or allowed and actions that change the value of a variable, which can be used to check the downward conditions.

Ultimate Resolutions

Resolution

Description (Meaning)

Common Resolutions

PASS

Skip traffic (allow creating connection). The downward rules (if there are any) are ignored.

For the rules of mail processing, there is merit in a command that allows a message to be transmitted to a recipient after all collected changes have been applied to it (i. e. all executed actionsREPACK, ADD_HEADER, CHANGE_HEADER, see below).

BLOCK as <reason>

Block traffic (block creating connection). The downwards rules (if there are any) are ignored.

A blocking <reason> is recorded in the log. The same reason is used to define a browser notification to be shown to a user. Two standard reasons can be used as <reason> for BLOCK:

BlackList—the data is blocked because it is included in user’s black list.

_match—the block happens because a web resource or file containing threat belongs to a category that triggers rule executing (for conditions *_category in (...)). The _match variable contains the list of blocked categories for which the correspondence has been executed.

Aspects of resolution processing:

BLOCK as BlackList, always processes as “is included in a black list” (without considering the condition specified in the rules with this resolution).

BLOCK as _match, if _match is not empty, processes as “belongs to the _match category”.

BLOCK as _match, if _match is empty, processes as “is included in a black list” (without considering the condition specified in the rules with this resolution).

If all rules have been considered, and none of the rules with resolutions performs (or the rules do not have resolutions), this situation is the same as PASS action.

Changing Value of a Variable

To change the variable value, the following instruction is used:

SET<variable> = ([<value 1>[, <value 2>[, ...]]])

If nothing is enclosed in brackets, the list of variable values is cleared. If there is only one value, the brackets should be omitted, that is, the following syntaxes should be used:

SET <variable> = <value >

Variables used in the rules

When indicating variables in the rules, the register of symbols is not considered. The variables with compound names could be saved using underscore for spacing or without it. Thus, records variable_name, VariableName and variablename represent the same variable. In this section, all variables are saved using underscore (i.e. variable_name).

Variable

Description

Can be used in

conditional part

action part (SET)

protocol

Network protocol type, used by the connection.

The variable can simultaneously contain a set of values.

Allowed values: HTTP, SMTP, IMAP, POP3.

Usage Aspects:

The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL.

It does not make sense to specify any other value excep tHTTP for the Dr.Web ICAPD rules: only HTTP can be specified for Dr.Web ICAPD.

A set of values for checking a variable value is available from the file.

Examples:

protocol in (HTTP, SMTP)
protocol in (POP3)
protocol in file("/etc/file")

Yes

No

url

URL requested by the client. Can be compared with the specified string or with a regular expression.

Usage Aspects:

Dr.Web LookupD can be used to check the value of this variable.

A set of values for checking a variable value is available from the file.

Examples:

url match ("drweb.com", "example\..*", "aaa\.ru/")
url match "ICAPD.Adlist"
url not match LDAP@BadURLs
url match file("/etc/file")

Yes

No

url_host

URL/host with which the connection is established.

Usage Aspects:

The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL.

Dr.Web LookupD can be used to check the value of this variable.

A set of values for checking a variable value is available from the file.

Examples:

url_host in ('vk.com', 'ya.ru')
url_host not in "ICAPD.Whitelist"
url_host in LDAP@hosts
url_host not in file("/etc/file")

Yes

No

url_category

The list of categories to which the URL/host belongs. The information is based according to the database of categories or Dr.Web Cloud replies.

The variable can simultaneously contain a set of values.

Usage Aspects:

The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL.

For rules used by Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, URL/host does not belong to any of the predetermined categories (“safe” URL/host).

If databases of web resource categories are not installed, the variable could not be used in rules (attempts to check if a condition in the rule is true will lead to the error x112).

A set of values for checking a variable value is available from the file.

Examples:

url_category not in (AdultContent, Chats)
url_category in "LinuxFirewall.BlockCategory"
url_category in (FreeEmail)
url_category in file("/etc/file")

Yes

No

threat_category

The list of categories to which the threat belongs, which is found in the transferred data (according to information from virus databases).

The variable can simultaneously contain a set of values.

Usage Aspects:

The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL.

For rules used by Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, the object does not contain threats from any of the predetermined categories (“safe” object).

A set of values for checking a variable value is available from the file.

Examples:

threat_category in "LinuxFirewall.BlockThreat"
threat_category not in (Joke)
threat_category in file("/etc/file")

Yes

No

user

The name of the user with whose privileges the process that is sending (or receiving) the traffic has been launched.

Usage Aspects:

In the Dr.Web ICAPD rules, the name of that user is implied who has authenticated on the proxy server (if the proxy server supports authentication). If the proxy server does not support user authentication, the variable has an empty value.

Dr.Web LookupD can be used to check the value of this variable.

If you need to find out whether the user belongs to a certain user group, use an LDAP or an Active Directory data source that returns a list of groups and specify the name of the required group (for which you want to know whether the user is its member or not). Use the following format: <type of the source for LookupD>@<source of groups>@<required group>. Requests to Active Directory (AD@) return only lists of groups, therefore for these requests it is mandatory to use the @<required group> part.

A set of values for checking a variable value is available from the file.

Examples:

user in ('user1', 'user2')
user in AD@Winusergroups@Admins
user in LDAP@AllowedUsers
user not in file("/etc/file")

Yes

No

src_ip

The IP address of a host establishing the connection.

Usage Aspects:

Dr.Web LookupD can be used to check the value of this variable.

A set of values for checking a variable value is available from the file.

Examples:

src_ip not in (127.0.0.1, 10.20.30.41, 198.126.10.0/24)
src_ip in LDAP@AllowedAddresses
src_ip not in file("/etc/file")

Yes

No

direction

The type of traffic on the connection.

Allowed values: request (client request), response (server reply).

This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied.

Examples:

direction request
direction not response

Yes

No

divert

The direction of the connection.

Allowed values: input (incoming—created/initiated from outside the local host), output (outgoing—created/initiated on the local host).

This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied.

Examples:

divert input
divert not output

Yes

No

content_type

MIME type of data transferred during connection.

Usage Aspects:

Can be defined if only SSL/TLS is not used or it was allowed to unwrap SSL.

The expression “*/*” matches data of any MIME type and HTTP replies without the header Content-Type.

Dr.Web LookupD can be used to check the value of this variable.

A set of values for checking a variable value is available from the file.

Examples:

content_type in ("multipart/byteranges", "application/octet-stream")
content_type not in ("text/*", "image/*")
content_type not in ("audio/*")
content_type in ("*/*")
content_type in LDAP@BlockedContent
content_type not in file("/etc/file")

Yes

No

http_templates_dir

The path to the directory where the notification page template on blocking HTTP request is stored.

If the path starts with a / (forward slash), it is an absolute path; if it starts with any other symbol, then it is a relative path. In the latter case it is given relative to the directory specified in the TemplatesDirparameter.

Usage Aspects:

It is useful only for the HTTP(S) protocol.

Examples:

SET http_templates_dir = "/etc/mytemplates"
set http_templates_dir = "templates_for_my_site"

No

Yes

Categories of unwanted websites and threats

1.Categories of unwanted websites (for the variables sni_category, url_category)

Convention

Website category

InfectionSource

Websites containing malicious software (“infection sources”).

NotRecommended

Fraudulent websites (that use “social engineering”) visiting which is not recommended.

AdultContent

Websites containing adult content.

Violence

Websites containing graphic violence.

Weapons

Websites dedicated to weapons.

Gambling

Gambling websites.

Drugs

Websites dedicated to drugs.

ObsceneLanguage

Websites with obscene language.

Chats

Chat websites.

Terrorism

Websites that contain information about terrorism.

FreeEmail

Websites that offer free email registration.

SocialNetworks

Social networking websites.

DueToCopyrightNotice

Websites that were specified by the holders of copyrights pertaining to content or works protected by copyright law (movies, music, etc.).

As values of the variables sni_category and url_category, it is also possible to use names of the parameters that control blocking (see below).

2.Threat categories (for the threat_category variable)

Convention

Threat categories

KnownVirus

Known threat (virus).

VirusModification

Modification of the known threat (virus).

UnknownVirus

Unknown threat, suspicious object.

Adware

Adware.

Dialer

Dialer.

Joke

Joke.

Riskware

Riskware.

Hacktool

Hacktool.

As a value of the variable threat_category, it is also possible to use names of the parameters that control blocking (see below).

Configuration parameters that can be used in rule conditions

Parameters, used in the component rules of Dr.Web ICAPD (indicated with the prefix ICAPD.):

Parameter

Description and Usage Example

Whitelist

White list contains the list of domains, the access to which is allowed, even if these domains are included in the database of categories.

Examples:

url_host not in "ICAPD.Whitelist" : BLOCK as BlackList

Blacklist

Black list contains the list of domains, the access to which is blocked by the user (or the administrator).

Examples:

url_host in "ICAPD.Blacklist" : BLOCK as BlackList

Adlist

The Advertisements List. Stores a list of regular expressions that describe advertising sites. It is created by the user (or by the administrator).

Examples:

url match "ICAPD.Adlist" : BLOCK as BlackList

BlockCategory

“Meta-parameter”: its value is a list of names of those web Resource categories (Chats, AdultContent, etc.) for which the corresponding Block* parameters in the [ICAPD] section are set to Yes.

Examples:

url_category in "ICAPD.BlockCategory" : BLOCK as _match

BlockThreat

“Meta-parameter”: its value is a list of names of those threat types (KnownVirus, Joke, etc.) for which the corresponding Block* parameters in the [ICAPD] section are set to Yes.

Examples:

threat_category in "ICAPD.BlockThreat" : BLOCK as _match