[mod-security-users] libmodsecurity + inspect files not working
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] libmodsecurity + inspect files not working
|
From: Ehsan M. <ehs...@gm...> - 2018-07-28 12:17:09
|
Hi folks
I'm using libmodsecurity + nginx and I tried to inspect a possible virus
infection.
I used the old crs v2.0 rule like below:
SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \
"phase:2,t:none,block,msg:'Virus found in uploaded
file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
It doesn't recognize any virus! I tested the clamAv and it responds to the
same virus file I have uploaded. I also tried modsecurity_nginx_refactoring
and it could capture the virus file.
However no success on libmodsecurity + nginx.
P.S.
1. For modsecurity v2.0 nginx refactoring branch I've set SecUploadKeepFiles
RelevantOnly and for libmodsecurity I've set SecUploadKeepFiles on
2. I tried more verbose debug logs with SecDebugLogLevel 9 and I get the
following:
[4] (Rule: 950115) Executing operator "InspectFile" with
param "/bin/runAV" against FILES_TMPNAMES.
[4] Rule returned 0.
[9] Matched vars cleaned.
3. I Suspected to FILES_TMPNAMES so I added the following rule:
SecRule FILES_TMPNAMES "@rx .*" \
"phase:2,t:none,block,msg:'Virus found in uploaded
file',id:'116',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
and the debug log now contains:
[4] (Rule: 116) Executing operator "Rx" with param ".*"
against FILES_TMPNAMES.
[4] Rule returned 0.
[9] Matched vars cleaned.
It turns out the FILES_TMPNAMES is empty.
What Am I missing??
--
regards
Ehsan.Mahdavi
|
