From: "Paul Beckett (ITCS)" <P.Beckett@uea.ac.uk>
Date: Tuesday, January 15, 2013 6:14 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] AV scanning : lua or c

I was wanting to implement AV scanning with clamd. Having seen a perl script to do this. I figured a solution using lua would provide better performance, and shouldn’t be too hard to write. Some googling revealed Josh Zlatin had already done this J

http://www.purehacking.com/blogs/josh-zlatin/virus-detection-in-modsecurity

 

I had to make a small tweak to the script, as I couldn’t get the rex pcre library installed on my rhel servers (replaced rex.match with string.find), tested it and sat back feeling happy until I noticed CRS comes with a C program: runAV-clamd, doing essentially the same thing.

 

Now I’m wondering which would provide the best performance (lua or C), and if there are any other considerations. Any advice would be much appreciated.

 

Thanks,

Paul

 


Hey Paul,
Not sure what the performance difference would be between running the runAV binary program via exec action vs. running the Lua script via exec.

The only other recommendation that I have would be to consider creating a RAM disk for use by the SecUploadDir directive - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecUploadDir.  In previous testing that we did, we found that the IO of writing files to disk (for FILES_TMPNAMES) caused the greatest amount of latency.  By creating a RAM disk, this virtual swapping is much faster.

As a side note – using RAM disks are also great for performance for any persistent storage usage with inicol, setsid, etc…

-Ryan



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.