Front page | perl.qpsmtpd |
Postings from March 2005
Robert Spier wrote:
>>I wonder if this wouldn't be best handled by making the config file
>>YAML aware, so I could have something like this:
>
>
> -1
>
> I'm really not a fan of YAML as a configuration format. It strikes me
> as too fragile.
Would you be open to a plugin using YAML then, for it's own config file? Would
you rather include one of the Ini modules on CPAN (quickly looking I see a bunch
and I don't know which I prefer yet)? Actually making the config/plugins file
be a .ini style file has some advantages, now that I think about it (since you'd
have explicit [section]'s for each hook). Hmmm...
>
> I much prefer the stricter, more limited, .ini style format. Yes, it
> isn't as flexible, but it's a lot harder to break.
It's just a whole lot faster to do
@scanners = LoadFile('config/generic_av);
with a data file like this:
--- #YAML:1.0
- name: 'BitDefender'
bin: '/opt/bdc/bdc'
options: '--mail --all --arc'
regex: 'infected: (.+)$'
freq: '0.50'
- name: 'ClamAV'
bin: '/usr/local/bin/clamdscan'
options: '--stdout --no-summary'
regex: '^.* (.*) FOUND$'
freq: '0.50'
- name: 'McAfee uvscan'
bin: '/usr/local/bin/uvscan'
options: '--mime --unzip --secure --noboot'
regex: '^.*\W+Found (.*)$'
freq: '0.50'
to get an array of hashes. I would want to run a validate function on the
incoming array (among other things so I could compile the regexes to save having
to do it later), and kick out any array elements that had missing/malformed hash
keys. I'll see if any of the existing INI modules on CPAN have that much
flexibility.
It occurred to me that all of the commandline scanners share a vast amount of
code (basically everything apart from custom return codes). So last night I
started writing a generic av scanner, which would use the data file above to
define each scanner and use the 'freq' key to determine how often a given
scanner would fire.
I was even thinking about how we might be able to use a primitive "train on
error" scheme to change the weighting (so a scanner that misses a virus that the
other scanners find would have it's "freq" decremented). Unlike spam, with
viruses I'm strangely unconcerned about false positives and very worried about
false negatives.
John
Thread Previous