The rules are represented by production rules such as IF <conditional_part> THEN <action_part>. At that, in the part <conditional_part> the following scanning types are specified: “The variable value is (not) set” or “The variable value is (not) included in the specified set”. The part <action_part> contains a set of (at least one) actions, and each of these actions is an ultimate resolution (skip or block a scanned object), or amodifying action which looks as “Change features of the scanned object”, “Assign the set value to the specified variable” or “Add the set value to the array of values of the specified variable”.
Part of the rule actions is executed only if the conditional part is true. If the conditional part evaluates to false, the actions specified in this rule are not performed, and the program jumps to the next rule. The rules are considered vertically down until an ultimate resolution is performed. After this, all undermentioned rules (if there are any) are ignored. When a rule is executed, it is important that actions in <action_part> are performed in order of their specification from left to right, and if there is an ultimate resolution in the chain of actions that interrupts the rule handling, the rest of the actions specified in <action_part> is not performed.
Rule Format
Format of the rule production
[<condition>[, <condition>[, …]]] : <action>[, <action>[, …]]
|
The conditional part of the rule (before ':') can be missing, in this case a part of the actions is executed without any condition. If the conditional part of the rule is missing, the ':' separator can be omitted. The comma between conditions in the conditional part and actions in the action part performs a role of a logical conjunction (that is, “and”): the conditional part elevates to true, only if all its conditions are true, and all actions specified in the action part are performed in order of their specification from left to right until an ultimate resolution which interrupts the rule handling. In the rules the register is not important for the key words, names of variables and configuration parameters.
Conditions
The following types of conditions can be use in the conditional part of the rules:
Condition
|
Meaning of the Condition
|
<variable> <value >
|
The value of the specified variable coincides with the set value.
Can be used only for those variables that can contain a set of values simultaneously.
|
<variable>[not] in <set of values>
|
The value of the specified variable is contained in the specified set of values (for not—does not match any value from the specified set).
|
<variable> [not] match <set of values>
|
The value of the specified variable matches any regular expression listed in the specified set (for not—does not match any expression from the specified set).
|
Regular expressions are specified using either the POSIX syntax (BRE, ERE) or the Perl syntax (PCRE, PCRE2).
|
|
<variable> [not] gt <value>
|
The value of the specified variable is (not) greater than the set value.
Can be used only for those variables that can have a single value.
|
<variable> [not] lt <value>
|
The value of the specified variable is (not) less than the set value.
Can be used only for those variables that can have a single value.
|
*) An optional key word not means negation.
Part <set of values> to which a variable is compared can be specified in the following ways:
Syntax
|
Meaning
|
(<value 1>[, <value 2>[, ...]])
|
In the parentheses you directly list the set of values to check against (not less then one value). In case there is only one value and the in condition is used, you can omit the parentheses (and you will end up with a case <variable> <value>).
|
"<section>.<parameter>"
|
The set of values currently assigned to a certain configuration parameter; where between the quotation marks you should specify the name of a configuration parameter whose value (or set of values) must be checked (note that you also need to specify the name of the section to which the parameter belongs).
The lists of the parameters that can be used as conditions depend on the component for which the rules are set. The lists are provided below.
|
file("<file name>")
|
List of values is read from the text file <file name> (one file string—one list element, leading and trailing spaces in strings are ignored). A path to the file must be absolute. If a <file name> contains quotes and apostrophes, they must be escaped: '\'.
|
The file size must not exceed 64 MB.
The file contents are read and inserted into the rules once, during the download of the configuration file. If there is no file or the file size is exceeded, an error x102 appears during the download.
In case the file contents are changed during the process, in order to apply all changes, you should reboot your computer after the changes are saved using the command drweb-ctl reload.
A set of values from the file is not available for all variables. Whether you can use a variable to scan its value by using a set of values from the file is indicated below.
|
|
<type_of_LOOKUP_request>@<tag>[@<value>]
|
A set of values is requested via Dr.Web LookupD from an external data source (LDAP, ActiveDirectory), where <LOOKUP_request_type> is the type of the data source used (LDAP or AD); <tag> is a section name describing the connection that is used to sample the data, and <value> (optional) is a value that must be contained in the set of values retrieved from the data source.
|
Values from Dr.Web LookupD are not available for all variables. Also, the condition <scanning> cannot be applied to all variables. Whether you can use a variable to scan its value by using Dr.Web LookupD is indicated below.
|
|
If a variable is multiple-valued, the condition <variable> in <set of values> is true, if intersection of the set of current values of the specified variable <variable> with the indicated set <set of values> is not empty. The condition not in is true in the opposite case. For example, suppose X is a variable, which the current value is a set with values a, b, c. Then
•X in (a, b) is true because values a and b are encountered in both sets; •X in (a, d, e) is true because value a is encountered in both sets; •X in (d, e) is false because there is no value of the variable (a, b, c) in the set (d, e). •X in () – false as array of variable values is not empty. •X not in () – true, the array of variable values is not empty. •X not in (d, e) is true because there is no value of the variable (a, b, c) in the set (d, e). •X not in (a, d, e) is false because value a is encountered in both sets; In the description of the variables below, there is an indication for each variable whether it can adopt a set of values.
Actions
The actions can be divided into ultimate resolutions, defining whether the object is blocked or allowed and actions that change the value of a variable, which can be used to check the downward conditions.
Ultimate Resolutions
Resolution
|
Description (Meaning)
|
Common Resolutions
|
PASS
|
Skip traffic (allow connection creation, send an object to a recipient). The downward rules (if there are any) are not used.
For the rules of mail processing, there is merit in a command that allows a message to be transmitted to a recipient after all collected changes have been applied to it (i. e. all executed actions REPACK, ADD_HEADER, CHANGE_HEADER, see below).
|
BLOCK as <reason>
|
Block traffic (block connection creation, send an object to a recipient). The downward rules (if there are any) are not used.
A blocking <reason> is recorded in the log. The same reason is used to define a browser notification to be shown to a user. Two standard reasons can be used as <reason> for BLOCK:
•BlackList—the data is blocked because it is included in user’s black list. •_match—the block happens because a web resource or file containing threat belongs to a category that triggers rule executing (for conditions *_category in (...)). The _match variable contains the list of blocked categories for which the correspondence has been executed. |
Features of handling ultimate resolutions:
•BLOCK as BlackList, always processes as “is included in a black list” (without considering the condition specified in the rules with this resolution). •BLOCK as _match, if _match is not empty, processes as “belongs to the _match category”. •BLOCK as _match, if _match is empty, processes as “is included in a black list” (without considering the condition specified in the rules with this resolution). •If all rules have been considered, and none of the rules with resolutions performs (or the rules do not have resolutions), this situation is the same as PASS action.
|
For SpIDer Gate rules that process non-mail-related connections (i.e. when the previous condition says that the traffic must be HTTP traffic), the triggering of a mail-related resolution is treated as equivalent to the triggering of a BLOCK as BlackList resolution (additionally, a message about applying an unknown action is recorded into the log).
In the rules for Dr.Web ICAPD, mail-related resolutions have no meaning and no effect: the rules that contain mail-related resolutions are ignored without any reaction to them.
|
Changing Value of a Variable
To change the variable value, the following instruction is used:
SET <variable> = ([<value 1>[, <value 2>[, ...]]])
|
If nothing is enclosed in brackets, the list of variable values is cleared. If there is only one value, the brackets should be omitted, that is, the following syntaxes should be used:
SET <variable> = <value >
|
Variables used in the rules
When indicating variables in the rules, the register of symbols is not considered. The variables with compound names could be saved using underscore for spacing or without it. Thus, records variable_name, VariableName and variablename represent the same variable. In this section, all variables are saved using underscore (i.e. variable_name).
Variable
|
Description
|
Can be used in
|
conditional part
|
action part (SET)
|
protocol
|
Network protocol type, used by the connection.
The variable can simultaneously contain a set of values.
Allowed values: HTTP, SMTP, IMAP, POP3.
Usage Aspects:
•The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •It does not make sense to specify any other value exceptHTTP for the Dr.Web ICAPD rules: only HTTP can be specified for Dr.Web ICAPD. •A set of values for checking a variable value is available from the file. Examples:
protocol in (HTTP, SMTP)
protocol in (POP3)
protocol in file("/etc/file")
|
Yes
|
No
|
sni_host
|
SNI host (address), with which the connection is established via SSL/TLS.
Usage Aspects:
•If SSL is not used, the value of a variable is not defined, the condition evaluates to false. •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, for that reason the condition always evaluates to false). •A set of values for checking a variable value is available from the file. Examples:
sni_host not in ('vk.com', 'ya.ru')
sni_host in "LinuxFirewall.BlackList"
sni_host in file("/etc/file")
|
Yes
|
No
|
sni_category
|
The list of categories (AdultContent, etc.) which the host (that is identified from the SNI-header) belongs to (according to the databases of web resource categories), for hosts to which your computer is attempting to connect over SSL/TLS.
The variable can simultaneously contain a set of values.
Usage Aspects:
•If SSL is not used, the value of a variable is not defined, the condition evaluates to false. •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, for that reason the condition always evaluates to false). •For rules used by Dr.Web MailD and Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, the host does not belong to any of the predetermined categories (“safe” host). For rules of Dr.Web Firewall for Linux (SpIDer Gate), the condition in this case will be false. •If databases of web resource categories are not installed, the variable could not be used in rules (attempts to check if a condition in the rule is true will lead to the error x112). •A set of values for checking a variable value is available from the file. Examples:
sni_category not in (AdultContent, Chats)
sni_category in "LinuxFirewall.BlockCategory"
sni_category in (FreeEmail)
sni_category not in file("/etc/file")
|
Yes
|
No
|
url
|
URL requested by the client. Can be compared with the specified string or with a regular expression.
Usage Aspects:
•Can be used only in rules for Dr.Web ICAPD. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples:
url match ("drweb.com", "example\..*", "aaa\.ru/")
url match "ICAPD.Adlist"
url not match LDAP@BadURLs
url match file("/etc/file")
|
Yes
|
No
|
url_host
|
URL/host with which the connection is established.
Usage Aspects:
•The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples:
url_host in ('vk.com', 'ya.ru')
url_host not in "ICAPD.Whitelist"
url_host in LDAP@hosts
url_host not in file("/etc/file")
|
Yes
|
No
|
url_category
|
The list of categories to which the URL/host belongs. The information is based according to the database of categories or Dr.Web Cloud replies.
The variable can simultaneously contain a set of values.
Usage Aspects:
•The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •For rules used by Dr.Web MailD and Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, URL/host does not belong to any of the predetermined categories (“safe” URL/host). For rules of Dr.Web Firewall for Linux (SpIDer Gate), the condition in this case will be false. •If databases of web resource categories are not installed, the variable could not be used in rules (attempts to check if a condition in the rule is true will lead to the error x112). •A set of values for checking a variable value is available from the file. Examples:
url_category not in (AdultContent, Chats)
url_category in "LinuxFirewall.BlockCategory"
url_category in (FreeEmail)
url_category in file("/etc/file")
|
Yes
|
No
|
threat_category
|
The list of categories to which the threat belongs, which is found in the transferred data (according to information from virus databases).
The variable can simultaneously contain a set of values.
Usage Aspects:
•The variable value can be defined only if SSL/TLS is not used or it was allowed to unwrap SSL. •For rules used by Dr.Web MailD and Dr.Web ICAPD, condition with not in will be true, even if according to the scanning results, the object does not contain threats from any of the predetermined categories (“safe” object). For rules of Dr.Web Firewall for Linux (SpIDer Gate), the condition in this case will be false. •A set of values for checking a variable value is available from the file. Examples:
threat_category in "LinuxFirewall.BlockThreat"
threat_category not in (Joke)
threat_category in file("/etc/file")
|
Yes
|
No
|
user
|
The name of the user with whose privileges the process that is sending (or receiving) the traffic has been launched.
Usage Aspects:
•In the Dr.Web ICAPD rules, the name of that user is implied who has authenticated on the proxy server (if the proxy server supports authentication). If the proxy server does not support user authentication, the variable has an empty value. •Dr.Web LookupD can be used to check the value of this variable. •If you need to find out whether the user belongs to a certain user group, use an LDAP or an Active Directory data source that returns a list of groups and specify the name of the required group (for which you want to know whether the user is its member or not). Use the following format: <type of the source for LookupD>@<source of groups>@<required group>. Requests to Active Directory (AD@) return only lists of groups, therefore for these requests it is mandatory to use the @<required group> part. •A set of values for checking a variable value is available from the file. Examples:
user in ('user1', 'user2')
user in AD@Winusergroups@Admins
user in LDAP@AllowedUsers
user not in file("/etc/file")
|
Yes
|
No
|
src_ip
|
The IP address of a host establishing the connection.
Usage Aspects:
•Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples:
src_ip not in (127.0.0.1, 10.20.30.41, 198.126.10.0/24)
src_ip in LDAP@AllowedAddresses
src_ip not in file("/etc/file")
|
Yes
|
No
|
proc
|
The process establishing the connection (the full path to the executable file).
Usage Aspects:
•It does not make any sense to use it for the Dr.Web ICAPD rules (the component does not contain information about processes, for that reason the condition always evaluates to false). •A set of values for checking a variable value is available from the file. Examples:
proc in ('/usr/bin/ls')
proc not in ('/home/user/myapp', '/bin/bin1')
proc in "LinuxFirewall.ExcludedProc"
proc in file("/etc/file")
|
Yes
|
No
|
direction
|
The type of traffic on the connection.
Allowed values: request (client request), response (server reply).
This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied.
Examples:
direction request
direction not response
|
Yes
|
No
|
divert
|
The direction of the connection.
Allowed values: input (incoming—created/initiated from outside the local host), output (outgoing—created/initiated on the local host).
This variable cannot simultaneously contain a set of values; conditions of the match and in type cannot be applied.
Examples:
divert input
divert not output
|
Yes
|
No
|
content_type
|
MIME type of data transferred during connection.
Usage Aspects:
•Can be defined if only SSL/TLS is not used or it was allowed to unwrap SSL. •The expression “*/*” matches data of any MIME type and HTTP replies without the header Content-Type. •Dr.Web LookupD can be used to check the value of this variable. •A set of values for checking a variable value is available from the file. Examples:
content_type in ("multipart/byteranges", "application/octet-stream")
content_type not in ("text/*", "image/*")
content_type not in ("audio/*")
content_type in ("*/*")
content_type in LDAP@BlockedContent
content_type not in file("/etc/file")
|
Yes
|
No
|
unwrap_ssl
|
Whether the traffic transferred via SSL/TLS is unwrapped.
Allowed values: true, false.
Usage Aspects:
•The variable always has any value. The instruction SET unwrap_ssl = () is impossible. •The variable cannot be used as a condition. It is necessary only to control SSL unwrapping (for example, to display a webpage containing notification about blocking triggered by our side). •It does not make sense to use it for the Dr.Web ICAPD rules (it does not process SSL, changing of the variable does not influence rule processing). Examples:
SET unwrap_ssl = TRUE
set Unwrap_SSL = false
|
No
|
Yes
|
http_templates_dir
|
The path to the directory where the notification page template on blocking HTTP request is stored.
If the path starts with a / (forward slash), it is an absolute path; if it starts with any other symbol, then it is a relative path. In the latter case it is given relative to the directory specified in the TemplatesDir parameter.
Usage Aspects:
•It is useful only for the HTTP(S) protocol. Examples:
SET http_templates_dir = "/etc/mytemplates"
set http_templates_dir = "templates_for_my_site"
|
No
|
Yes
|
Categories of unwanted websites and threats
1.Categories of unwanted websites (for the variables sni_category, url_category)
Convention
|
Website category
|
InfectionSource
|
Websites containing malicious software (“infection sources”).
|
NotRecommended
|
Fraudulent websites (that use “social engineering”) visiting which is not recommended.
|
AdultContent
|
Websites, containing porn or erotic materials, dating sites etc.
|
Violence
|
Websites that encourage violence or contain materials about various fatal accidents, etc.
|
Weapons
|
Websites that describe weapons and explosives or provide information on their manufacturing.
|
Gambling
|
Websites that provide access to online games of chance, casinos, auctions, including sites for placing bets, etc.
|
Drugs
|
Websites that promote use, production or distribution of drugs, etc.
|
ObsceneLanguage
|
Websites that contain the obscene language (in titles, articles, etc.).
|
Chats
|
Websites that offer a real-time transmission of text messages.
|
Terrorism
|
Websites that contain aggressive and propaganda materials or terroristic attacks descriptions, etc.
|
FreeEmail
|
Websites that offer the possibility of free registration of a web mailbox.
|
SocialNetworks
|
Different social networking services: general, professional, corporate, interest-based; thematic dating sites.
|
DueToCopyrightNotice
|
Wbsites, links to which are defined by the copyright holders of some copyrighted work (movies, music, etc.).
|
As values of the variables sni_category and url_category, it is also possible to use names of the parameters that control blocking (see below).
2.Threat categories (for the threat_category variable)
Convention
|
Threat categories
|
KnownVirus
|
Known threat (virus).
|
VirusModification
|
Modification of the known threat (virus).
|
UnknownVirus
|
Unknown threat, suspicious object.
|
Adware
|
Adware.
|
Dialer
|
Dialer.
|
Joke
|
Joke.
|
Riskware
|
Riskware.
|
Hacktool
|
Hacktool.
|
As a value of the variable threat_category, it is also possible to use names of the parameters that control blocking (see below).
Configuration parameters that can be used in rule conditions
Parameters used in the component rules of Dr.Web Firewall for Linux (indicated with the prefix LinuxFirewall.):
Parameter
|
Description and Usage Example
|
Whitelist
|
White list contains the list of domains, the access to which is allowed, even if these domains are included in the database of categories.
Examples:
sni_host in "LinuxFirewall.Whitelist" : PASS
url_host not in "LinuxFirewall.Whitelist" : BLOCK as _match
|
Blacklist
|
Black list contains the list of domains, the access to which is blocked by the user (or the administrator).
Examples:
sni_host in "LinuxFirewall.Blacklist" : SET Unwrap_SSL = FALSE
url_host in "LinuxFirewall.Blacklist" : BLOCK as BlackList
|
BlockCategory
|
“Meta-parameter”: its value is a list of names of those web resource categories (Chats, AdultContent, etc.) for which the corresponding Block* parameters in the [LinuxFirewall] section are set to Yes.
Examples:
url_category in "LinuxFirewall.BlockCategory" : BLOCK as _match
sni_category in "LinuxFirewall.BlockCategory" : BLOCK as BlackList
|
BlockThreat
|
“Meta-parameter”: its value is a list of names of those threat types (KnownVirus, Joke, etc.) for which the corresponding Block* parameters in the [LinuxFirewall] section are set to Yes.
Examples:
threat_category in "LinuxFirewall.BlockThreat" : BLOCK as _match
|
ExcludedProc
|
The list of trusted processes, whose traffic must be skipped from checking.
Examples:
proc in "LinuxFirewall.ExcludedProc" : PASS
|
Parameters, used in the component rules of Dr.Web ICAPD (indicated with the prefix ICAPD.):
Parameter
|
Description and Usage Example
|
Whitelist
|
White list contains the list of domains, the access to which is allowed, even if these domains are included in the database of categories.
Examples:
url_host not in "ICAPD.Whitelist" : BLOCK as BlackList
|
Blacklist
|
Black list contains the list of domains, the access to which is blocked by the user (or the administrator).
Examples:
url_host in "ICAPD.Blacklist" : BLOCK as BlackList
|
Adlist
|
The Advertisements List. Stores a list of regular expressions that describe advertising sites. It is created by the user (or by the administrator).
Examples:
url match "ICAPD.Adlist" : BLOCK as BlackList
|
BlockCategory
|
“Meta-parameter”: its value is a list of names of those web resource categories (Chats, AdultContent, etc.) for which the corresponding Block* parameters in the [ICAPD] section are set to Yes.
Examples:
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
BlockThreat
|
“Meta-parameter”: its value is a list of names of those threat types (KnownVirus, Joke, etc.) for which the corresponding Block* parameters in the [ICAPD] section are set to Yes.
Examples:
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Features of saving rules to the configuration file
•In the configuration file, in the settings sections of components that use rules, the rules are stored in such variables as RuleSet, each of them is a set (sequence) of unlimited number of rules. In addition, rules in each set are considered sequentially (vertically down) until the ultimate resolution is met. •When writing an unconditional rule (rule that contains only actions without a conditional part) to the configuration file, an empty conditional part and a separator ':' will be added to it. For example, the following rule, which does not contain a conditional part and consisting only of the action:
will be written to the configuration file as follows:
•When writing a rule, which contains in the action part the set of multiple actions, to the configuration file, it will be written as a sequence of rules with the same conditional part and one action in the action part in the same order as the actions are listed. For example, the following rule that contains two actions in the action part:
user in ('user1', 'user2') : SET http_templates_dir = "/etc/mytemplates", BLOCK as _match
|
will be written to the configuration file as sequences of two rules:
user in ('user1', 'user2') : SET http_templates_dir = "/etc/mytemplates"
user in ('user1', 'user2') : BLOCK as _match
|
•The logging or rules does not allow for disjunction (logical “OR”) of conditions in the conditional part, so, in order to implement the logical “OR”, the chain of rules should be logged with each rule having an only disjunct-condition in its condition. For example, the following two rules are equal to the rule “Block if a malicious object KnownVirus or URL from the category Terrorism are detected”:
threat_category in (KnownVirus) : BLOCK as _match
url_category in (Terrorism) : BLOCK as _match
|
as the following records are equivalent: (a –> x, b –> x); ((a –> x) /\ (b –> x)); ((a \/ b) –> x).
As for any configuration parameter, values of such parameters as RuleSet (i.e. rules) can be viewed and modified using the commands cfshow and cfset of the management tool Dr.Web Ctl (module drweb-ctl). For further information about the cfshow and cfsetcommand syntax of the command-line management tool Dr.Web Ctl (the drweb-ctl module), refer to the section Dr.Web Ctl.
|