Jamuse wrote:
On Sun, Mar 21, 2010 at 9:36 AM, listadecorreo <listadecorreo@sbd.cadinor.com> wrote:
Helo,

I'm using CentOS release 5.4 and modsecurity-apache_2.5.12 with reverse
proxy. Mod Security work fine, but i'd like add clamav scanning.

I read
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html
and I add to

[root@reverseproxy ~]# vim
/etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf
SecUploadDir /tmp/webfiles
SecUploadApproveScript /usr/local/sbin/modsec-clamscan.pl

and I create the directory to upload file....

[root@reverseproxy ~]# mkdir /tmp/webfiles
[root@reverseproxy ~]# chown apache:clamav /tmp/webfiles
[root@reverseproxy ~]# chmod 2750 /tmp/webfiles

but when I restart apache he say:

[root@reverseproxy ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: Syntax error on line 164 of
/etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf:
Invalid command 'SecUploadApproveScript', perhaps misspelled or defined
by a module not included in the server configuration
                                                          [FAILED]

I search in google, and I still do not understand because it fails

Hi,

SecUploadApproveScript is no longer supported. You can scan files with something like:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/modsec-clamscan.pl" \
    phase:2,t:none,log,block

Also, the ModSecurity 2.5.12 documentation is available at:
http://modsecurity.org/documentation/

- J

Excuseme. I read documentation of ModSecurity 1.9.3 an I use 2.5.12. But the problem now is other:

I create a document hmtl virus in my server Web

-----------------------------------------

root@servidorweb:~# clamscan --phishing-sigs=yes --phishing-cloak=yes --scan-html=yes --phishing-scan-urls=yes /var/www/virus.html
/var/www/virus.html: Trojan.JS-37 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 738963
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 1.973 sec (0 m 1 s)


-----------------------------------------

In the reverse proxy with mod security enable the rule to scan with clamav, but not work....... not show error and the web page is not blocked

[root@reverseproxy ~]# mkdir /tmp/webfiles
[root@reverseproxy ~]# chown apache:clamav /tmp/webfiles
[root@reverseproxy ~]# chmod 2750 /tmp/webfiles

[root@reverseproxy ~]# /usr/local/sbin/modsec-clamscan.pl /usr/bin/clamscan
1 clamscan: OK

[root@reverseproxy ~]# vim /etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf
SecUploadDir /tmp/webfiles

[root@reverseproxy ~]# vim /etc/httpd/conf/modsecurity/modsecurity_crs_15_mis_reglas.conf
SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/modsec-clamscan.pl" \
    phase:2,t:none,log,block