|
From: homesh j. <ho...@gm...> - 2021-10-20 13:35:05
|
Dear Azur, Your plugin works for me. Currently tested with CRS, Here is the sample log [19/Oct/2021:10:30:38 +0530] [ www.xyz.com/sid#7f178bfaf8a0][rid#7f178f5bc0a0][/files/upload.php][1] Access denied with code 403 (phase 2). String match "Win.Test.EICAR_HDB-1" at TX:antivirus-plugin_virus_name. [file "/usr/share/modsecurity-crs/plugins/antivirus-before.conf"] [line "19"] [id "9502120"] [msg "Virus *Win.Test.EICAR_HDB-1* found in uploaded file *eicar.com <http://eicar.com>*."] [data "Virus Win.Test.EICAR_HDB-1 found in uploaded file eicar.com."] [severity "CRITICAL"] [ver "antivirus-plugin/1.0.0"] [tag "capec/1000/262/441/442"] Can you please suggest best practices on clam-av for modsec ? I am worried if clam av may add latency to the apache request handling capacity. Thanks, Homesh On Mon, Oct 18, 2021 at 11:59 PM homesh joshi <ho...@gm...> wrote: > Thanks for your efforts. Will test this tomorrow and let you know. > > Regards, > Homesh > > On Mon, 18 Oct, 2021, 11:53 pm , <az...@po...> wrote: > >> Good news everyone (mainly Homesh)! >> >> As HTTP protocol allows uploading of multiple files at once, it >> appears to be a good idea to have a filename of infected file in logs. >> I decided to add this functionality. >> >> Homesh, please redownload everything and try again: >> https://github.com/coreruleset/antivirus-plugin >> >> Let me know if it's working for you, thanks. >> >> Enjoy! >> >> >> >> Citát homesh joshi <ho...@gm...>: >> >> > Dear Azur, >> > >> > Yes I was able to do the testing using your plugin. >> > I want to report the filename also in the reporting dashboard saying >> that >> > filename = xyz.pdf virusname=abc >> > Now I am able to get the virusname but want to know the filename as >> well. >> > >> > Thanks, >> > Homesh >> > >> > >> > On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote: >> > >> >> Hi Homesh, >> >> >> >> >> >> > Thank you very much for the suggestion on antivirus plugin. >> >> > I tested the antivirus plugin with CRS I have following queries >> >> >> >> >> >> You are welcome! Is plugin working ok for you? >> >> >> >> >> >> >> >> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to >> use >> >> > this without CRS. I understand this plugin rule uses LUA script. >> >> >> >> >> >> I cannot guarantee it for the future but, currently, it should work >> >> also without CRS. >> >> >> >> >> >> >> >> > I was able to see the virus name in the logs, however what is the >> >> variable >> >> > name for the filename which was scanned. so I will call that variable >> >> > inside the TAG or msg >> >> >> >> >> >> Filename if get directly from Modsecurity using FILES_TMPNAMES >> >> variable but it's only a temporary name of the uploaded file. >> >> >> >> >> >> >> >> azur >> >> >> >> >> >> >> >> >> >> > Thanks, >> >> > Homesh >> >> > >> >> > >> >> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> >> wrote: >> >> > >> >> >> Thanks will test this and update you soon. >> >> >> >> >> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote: >> >> >> >> >> >>> Hi, >> >> >>> >> >> >>> if you are using CRS, please check this: >> >> >>> https://github.com/coreruleset/antivirus-plugin >> >> >>> >> >> >>> azur >> >> >>> >> >> >>> >> >> >>> Citát homesh joshi <ho...@gm...>: >> >> >>> >> >> >>> > Hi All, >> >> >>> > >> >> >>> > Hope you all are well. >> >> >>> > I have done the Modsecurity and ClamAV integration and am now >> able to >> >> >>> block >> >> >>> > the malicious file upload. I wanted to get the filename and virus >> >> name >> >> >>> > details inside modsec audit logs. >> >> >>> > >> >> >>> > I am not able to find any documentation on this. Can you please >> share >> >> >>> any >> >> >>> > document or tutorial on this ? >> >> >>> > >> >> >>> > Thanks, >> >> >>> > Homesh >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> _______________________________________________ >> >> >>> mod-security-users mailing list >> >> >>> mod...@li... >> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> >>> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> >> >>> http://www.modsecurity.org/projects/commercial/rules/ >> >> >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> mod-security-users mailing list >> >> mod...@li... >> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >> http://www.modsecurity.org/projects/commercial/rules/ >> >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > |
