| Some
of download scripts, as well as downloading the Sanesecurity
signatures can also download other Third-Party databases.
The following tables contains a brief list of all Third-Party
databases, their brief description and also my opinion on their
appoximate false positive risk, but your milage may vary.
It's also recommended, especially on the high risk groups,
to score the detections, instead of an outright block
and it's down to each signature user, to determine their detection
rate vs false positive rate for each group.
Any false positives will normally be fixed by each signature
producer.
The
following databases are distributed and produced by Sanesecurity
Database Name |
Description |
FP
Risk |
| junk.ndb |
General
high hitting junk, containing spam/phishing/lottery/jobs/419s
etc. |
Low |
| jurlbl.ndb |
Junk
Url based |
Low |
| jurlbla.ndb |
Junk
Url based autogenerated from various feeds |
Med |
| lott.ndb |
Lottery |
Med |
| phish.ndb |
Phishing |
Low |
| rogue.hdb |
Malware,
Rogue anti-virus software and Fake codecs
Undetected
virus samples can be sent to steveb@webtribe.net
|
Low |
| sanesecurity.ftm |
Message
file types |
- |
| scam.ndb |
Spam/scams |
Low |
| spam.ldb |
Spam
detected using the new Logical Signature type |
Med |
| spamimg.hdb |
Spam
images or other static documents |
Low |
| spear.ndb |
Spear
phishing email addresses (autogenerated from data here) |
Med |
The
following databases are distributed by Sanecurity, but produced by Bill
Landry (InetMsg)
Database
Name
|
Description
|
FP
Risk
|
| INetMsg-SpamDomains-2w.ndb |
last
2 'weeks' of spam domains found
|
<Med |
| INetMsg-SpamDomains-2m.ndb |
last
2 'months' of spam domains found |
Med |
| Note:
Only use ONE of the above databases, SpamDomains-2w.ndb
or SpamDomains-2m.ndb |
The following databases are distributed by Sanecurity, but produced by OITC
Database
Name
|
Description
|
FP
Risk |
| winnow_malware.hdb |
Current
virus, trojan and other malware not yet detected by ClamAV. Undetected
virus samples can be sent to virus_samples@oitc.com |
Low |
| winnow_malware_links.ndb |
Links
to malware |
Low |
| winnow_spam_complete.ndb |
Signatures to detect fraud and other malicious spam |
Med |
| winnow_phish_complete.ndb |
Phishing
and other malicious url's and compromised hosts |
High |
| winnow_phish_complete_url.ndb |
Similar
to winnow_phish_complete.ndb except that entire urls's are
used |
Med |
| winnow.complex.patterns.ldb |
contain hand generated signatures for malware and some egregious fraud |
Med |
| Note:
Only use ONE of the above databases, winnow_phish_complete.ndb
or winnow_phish_complete_url.ndb |
The following
databases are distributed by Sanecurity, but produced
by Julian Field
Database
Name
|
Description
|
FP
Risk
|
| scamnailer.ndb |
Spear
phishing and other phishing emails |
Med
|
The
following databases are produced and distributed by MSRBL
Database
Name
|
Description
|
FP
Risk
|
| MSRBL-SPAM.ndb |
created
from spam emails (URLs or other content) that looks static |
Low |
| MSRBL-Images.hdb |
created
from images contained within spam emails |
Low |
The
following databases are produced and distributed by SecuriteInfo
Database
Name
|
Description
|
FP
Risk
|
| antispam.ndb |
|
High |
| honeynet.hdb |
|
Low |
| securiteinfo.hdb |
|
Low |
| vx.hdb |
|
Low |
The
following databases are produced and distributed by MalwarePatrol
Database
Name
|
Description
|
FP
Risk
|
| mbl.ndb |
URLs
containing of Viruses, Trojans, Worms, or Malware |
Low |
Disclaimer:
Whilst every effort has been made by Sanesecurity to ensure that the signatures
don't lead to false positives, we make no warranty that the signatures will
meet your requirements, be uninterrupted, complete, timely, secure or error
free.
You must therefore use them at your own risk.
|
