From f64c83cc4d7cb249f8b37338bfa9363ae4a0438c Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Tue, 6 Oct 2015 16:53:00 +0200 Subject: [PATCH] Updating manpage for 1.5 --- debian/maldet.1 | 73 +++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 29 deletions(-) diff --git a/debian/maldet.1 b/debian/maldet.1 index 005088c..089e86a 100644 --- a/debian/maldet.1 +++ b/debian/maldet.1 @@ -1,12 +1,13 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.38.2. -.TH LINUX-MALWARE-DETECT "1" "October 2013" "Linux Malware Detect v1.4.2" "User Commands" +.TH LINUX-MALWARE-DETECT "19" "September 2015" "Linux Malware Detect v1.5" "User Commands" .SH NAME maldet \- Linux Malware Detect .SH SYNOPSIS .PP -maldet [\-h|\-\-help] [\-l|\-\-log] [\-e|\-\-report] [\-p|\-\-purge] [\-c|\-\-checkout] -[\-b|\-\-background] [\-m|\-\-monitor] [\-k|\-\-kill\-monitor] [\-a|\-\-scan\-all] [\-r|\-\-scan\-recent] -[\-q|\-\-quarantine] [\-s|\-\-restore] [\-n|\-\-clean] [\-u|\-\-update] +maldet [\-h|\-\-help] [\-a|\-\-scan\-all PATH] [\-r|\-\-scan\-recent PATH DAYS] [\-f|\-\-file\-list PATH] +[\-i|\-\-include\-regex] [\-x|\-\-exclude\-regex] [\-b|\-\-background] [\-m|\-\-monitor] [\-k|\-\-kill\-monitor] +[\-c|\-\-checkout] [\-q|\-\-quarantine] [\-s|\-\-restore] [\-n|\-\-clean] [\-l|\-\-log] [\-e|\-\-report] +[\-u|\-\-update\-sigs] .SH DESCRIPTION Linux Malware Detect is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV. .PP @@ -65,8 +66,6 @@ kernel inotify monitor with dynamic sysctl limits for optimal performance .IP \(bu 3 kernel inotify alerting through daily and/or optional weekly reports .IP \(bu 3 -HTTP upload scanning through mod_security2 inspectFile hook -.IP \(bu 3 e-mail alert reporting after every scan execution (manual & daily) .IP \(bu 3 path, extension and signature based ignore options @@ -112,13 +111,10 @@ is performed daily through the default cron.daily script with the \fB--update\fP option, which can be run manually at any time. .TP .B -An RSS & XML data source is available for tracking malware threat updates: +An RSS feed is available for tracking malware threat updates: RSS Recent Signatures: http://www.rfxn.com/api/lmd -XML Recent Signatures: http://www.rfxn.com/api/lmd?id=recent .TP .B -XML All Signatures: -http://www.rfxn.com/api/lmd?id=all .SH CLI USAGE The command line options are as follows: .HP @@ -127,23 +123,14 @@ The command line options are as follows: Execute operations in the background, ideal for large scans e.g: maldet \fB\-b\fR \fB\-r\fR /home/?/public_html 7 .HP -\fB\-u\fR, \fB\-\-update\fR +\fB\-u\fR, \fB\-\-update\-sigs\fR .IP Update malware detection signatures from rfxn.com .HP -\fB\-m\fR, \fB\-\-monitor\fR USERS|PATHS|FILE -.IP -Run maldet with inotify kernel level file create/modify monitoring -If USERS is specified, monitor user homedirs for UID's > 500 -If FILE is specified, paths will be extracted from file, line spaced -If PATHS are specified, must be comma spaced list, NO WILDCARDS! -e.g: maldet \fB\-\-monitor\fR users -e.g: maldet \fB\-\-monitor\fR /root/monitor_paths -e.g: maldet \fB\-\-monitor\fR /home/mike,/home/ashton -.HP -\fB\-k\fR, \fB\-\-kill\fR +\fB\-f\fR, \fB\-\-file\-list\fR .IP -Terminate inotify monitoring service +Scan files or paths defined in line spaced file +e.g: maldet \fB\-f\fR \fI\,/root/scan_file_list\/\fP .HP \fB\-r\fR, \fB\-\-scan\-recent\fR PATH DAYS .IP @@ -152,9 +139,37 @@ e.g: maldet \fB\-r\fR /home/?/public_html 2 .HP \fB\-a\fR, \fB\-\-scan\-all\fR PATH .IP -Scan all files in path (default: /home, wildcard: ?) +Scan all files in path (default: \fI\,/home\/\fP, wildcard: ?) e.g: maldet \fB\-a\fR /home/?/public_html .HP +\fB\-i\fR, \fB\-\-include\-regex\fR REGEX +.IP +Include paths/files from file list based on supplied posix\-egrep regular +expression. +e.g: To include only paths named wp\-content and files ending in .php: +\fB\-\-include\-regex\fR ".*/wp\-content/.*|.*.php$" +.HP +\fB\-x\fR, \fB\-\-exclude\-regex\fR REGEX +.IP +Exclude paths/files from file list based on supplied posix\-egrep regular +expression. +e.g: To exclude paths containing 'wp\-content/w3tc/' and core files: +\fB\-\-exclude\-regex\fR ".*wp\-content/w3tc/.*|.*core.[0\-9]+$" +.HP +\fB\-m\fR, \fB\-\-monitor\fR USERS|PATHS|FILE|RELOAD +.IP +Run maldet with inotify kernel level file create/modify monitoring +If USERS is specified, monitor user homedirs for UID's > 500 +If FILE is specified, paths will be extracted from file, line spaced +If PATHS are specified, must be comma spaced list, NO WILDCARDS! +e.g: maldet \fB\-\-monitor\fR users +e.g: maldet \fB\-\-monitor\fR \fI\,/etc/maldetect/monitor_paths\/\fP +e.g: maldet \fB\-\-monitor\fR \fI\,/home/mike\/\fP,/home/ashton +.HP +\fB\-k\fR, \fB\-\-kill\-monitor\fR +.IP +Terminate inotify monitoring service +.HP \fB\-c\fR, \fB\-\-checkout\fR FILE .IP Upload suspected malware to rfxn.com for review & hashing into signatures @@ -176,7 +191,7 @@ e.g: maldet \fB\-\-report\fR SCANID user@domain.com .IP Restore file from quarantine queue to orginal path or restore all items from a specific SCANID -e.g: maldet \fB\-\-restore\fR /usr/local/maldetect/quarantine/config.php.23754 +e.g: maldet \fB\-\-restore\fR \fI\,/var/lib/maldetect/quarantine/config.php.23754\/\fP e.g: maldet \fB\-\-restore\fR 050910\-1534.21135 .HP \fB\-q\fR, \fB\-\-quarantine\fR SCANID @@ -198,8 +213,8 @@ e.g: maldet \fB\-\-user\fR nobody \fB\-\-restore\fR 050910\-1534.21135 .HP \fB\-co\fR, \fB\-\-config\-option\fR VAR1=VALUE,VAR2=VALUE,VAR3=VALUE .IP -Set or redefine the value of conf.maldet config options -e.g: maldet \fB\-\-config\-option\fR email_addr=you@domain.com,quar_hits=1 +Set or redefine the value of maldetect.conf config options +e.g: maldet \fB\-\-config\-option\fR email_addr=you@domain.com,quarantine_hits=1 .HP \fB\-p\fR, \fB\-\-purge\fR .IP @@ -208,6 +223,6 @@ Clear logs, quarantine queue, session and temporary data. This program may be freely redistributed under the terms of the GNU GPL v2 .SH AUTHORS .PP -(C) 2002\-2013, R\-fx Networks -(C) 2013, Ryan MacDonald +(C) 2002\-2015, R\-fx Networks +(C) 2015, Ryan MacDonald