I understand what you want to do but not why. What are expecting clamav to find? AV is mainly looking for executable binary code which may be present in webapps when they allow external file attachments. In your case, you are talking about text strings so ModSecurity can do it. The issue may be what blacklist to use. Does anyone using clamav know if it has a text string blacklist feature built-in?


Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


From: beshoo
To: Ryan Barnett
Cc: mod-security-users@lists.sourceforge.net
Sent: Tue Feb 23 01:24:48 2010
Subject: Re: [mod-security-users] How to Scan Post Data with ClamAv "Not The Upload File"

i want to scan the POST text strings but with clam not with Modesecurity Regx pattern , that is my target !

On Tue, Feb 23, 2010 at 8:17 AM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

Are you wanting to look for text strings or was there some specific clamav feature you wanted? If the client is not using multipart content-type to upload a file attachment, then I am not sure what AV feature you need. If you only want to look at text strings then you don't need clamav, as you can use @pm/@pmFromFile and pass it a list of blacklist strings to run against the request_body variable.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


From: beshoo
To: Jamuse
Cc: mod-security-users@lists.sourceforge.net
Sent: Tue Feb 23 00:57:49 2010
Subject: Re: [mod-security-users] How to Scan Post Data with ClamAv "Not The Upload File"
as i said in the email that i sent  , i dont want to scan the uploaded files , the posted data did not save any thing to /tmp FILES_TMPNAMES , i am sure there is other way to scan the post row , again not the uploaded files

thank you :)

On Tue, Feb 23, 2010 at 7:50 AM, Jamuse <jamuse@gmail.com> wrote:
Take a look at the modsec-clamscan.pl script in the modsecurity util directory. You can invoke the script with something like:

SecRule FILES_TMPNAMES "@inspectFile /opt/modsecurity/bin/modsec-clamscan.pl" \
    phase:2,t:none,log,block

- J

On Tue, Feb 23, 2010 at 5:58 AM, beshoo <beshoo@gmail.com> wrote:
Dear user , i need to scan any POSTED data with clamAV ,
 eg :
User open Cpanel ,

Create a New File in Cpanel

Edit the file with Cpanel Editor

Copy and paste , the Code as PhpShell code .

Save the file .. :)

i need to scan the POST data with ClamAV .

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html