|
From: <az...@po...> - 2021-10-20 14:56:49
|
Hi Homesh, i'm glad everything works for you! I can't recommend any specific ClamAV configuration but this will definitely add some latency to request handling. You can try playing with antivirus setting tx.antivirus-plugin_clamav_chunk_size_bytes so data is not splitted into too many chunks (depends on how big files are you usually uploading). Anyway, i doubt there's a possibility to create a faster option of integrating antivirus support into ModSecurity as my solution is using Lua for antivirus communication and ClamAV INSTREAM command, so: - Lua script is read, compiled and stored in memory on web server startup - Lua script works similar to clamdscan so the only thing it's doing is reading and sending data into ClamAV (i.e. it's not reading whole signatures on every run as clamscan command is doing), make sure that tmp files are not stored on slow storage - Lua script is not run for requests not doing file upload Citát homesh joshi <ho...@gm...>: > Dear Azur, > > Your plugin works for me. Currently tested with CRS, Here is the sample log > > [19/Oct/2021:10:30:38 +0530] [ > www.xyz.com/sid#7f178bfaf8a0][rid#7f178f5bc0a0][/files/upload.php][1] > Access denied with code 403 (phase 2). String match "Win.Test.EICAR_HDB-1" > at TX:antivirus-plugin_virus_name. [file > "/usr/share/modsecurity-crs/plugins/antivirus-before.conf"] [line "19"] [id > "9502120"] [msg "Virus *Win.Test.EICAR_HDB-1* found in uploaded file > *eicar.com > <http://eicar.com>*."] [data "Virus Win.Test.EICAR_HDB-1 found in uploaded > file eicar.com."] [severity "CRITICAL"] [ver "antivirus-plugin/1.0.0"] [tag > "capec/1000/262/441/442"] > > Can you please suggest best practices on clam-av for modsec ? I am worried > if clam av may add latency to the apache request handling capacity. > > Thanks, > Homesh > > > On Mon, Oct 18, 2021 at 11:59 PM homesh joshi <ho...@gm...> wrote: > >> Thanks for your efforts. Will test this tomorrow and let you know. >> >> Regards, >> Homesh >> >> On Mon, 18 Oct, 2021, 11:53 pm , <az...@po...> wrote: >> >>> Good news everyone (mainly Homesh)! >>> >>> As HTTP protocol allows uploading of multiple files at once, it >>> appears to be a good idea to have a filename of infected file in logs. >>> I decided to add this functionality. >>> >>> Homesh, please redownload everything and try again: >>> https://github.com/coreruleset/antivirus-plugin >>> >>> Let me know if it's working for you, thanks. >>> >>> Enjoy! >>> >>> >>> >>> Citát homesh joshi <ho...@gm...>: >>> >>> > Dear Azur, >>> > >>> > Yes I was able to do the testing using your plugin. >>> > I want to report the filename also in the reporting dashboard saying >>> that >>> > filename = xyz.pdf virusname=abc >>> > Now I am able to get the virusname but want to know the filename as >>> well. >>> > >>> > Thanks, >>> > Homesh >>> > >>> > >>> > On Mon, Oct 18, 2021 at 12:06 PM <az...@po...> wrote: >>> > >>> >> Hi Homesh, >>> >> >>> >> >>> >> > Thank you very much for the suggestion on antivirus plugin. >>> >> > I tested the antivirus plugin with CRS I have following queries >>> >> >>> >> >>> >> You are welcome! Is plugin working ok for you? >>> >> >>> >> >>> >> >>> >> > Is CRS a prerequisite for this plugin ? as I don't use CRS I want to >>> use >>> >> > this without CRS. I understand this plugin rule uses LUA script. >>> >> >>> >> >>> >> I cannot guarantee it for the future but, currently, it should work >>> >> also without CRS. >>> >> >>> >> >>> >> >>> >> > I was able to see the virus name in the logs, however what is the >>> >> variable >>> >> > name for the filename which was scanned. so I will call that variable >>> >> > inside the TAG or msg >>> >> >>> >> >>> >> Filename if get directly from Modsecurity using FILES_TMPNAMES >>> >> variable but it's only a temporary name of the uploaded file. >>> >> >>> >> >>> >> >>> >> azur >>> >> >>> >> >>> >> >>> >> >>> >> > Thanks, >>> >> > Homesh >>> >> > >>> >> > >>> >> > On Mon, Oct 4, 2021 at 1:40 PM homesh joshi <ho...@gm...> >>> wrote: >>> >> > >>> >> >> Thanks will test this and update you soon. >>> >> >> >>> >> >> On Mon, 4 Oct, 2021, 1:33 pm , <az...@po...> wrote: >>> >> >> >>> >> >>> Hi, >>> >> >>> >>> >> >>> if you are using CRS, please check this: >>> >> >>> https://github.com/coreruleset/antivirus-plugin >>> >> >>> >>> >> >>> azur >>> >> >>> >>> >> >>> >>> >> >>> Citát homesh joshi <ho...@gm...>: >>> >> >>> >>> >> >>> > Hi All, >>> >> >>> > >>> >> >>> > Hope you all are well. >>> >> >>> > I have done the Modsecurity and ClamAV integration and am now >>> able to >>> >> >>> block >>> >> >>> > the malicious file upload. I wanted to get the filename and virus >>> >> name >>> >> >>> > details inside modsec audit logs. >>> >> >>> > >>> >> >>> > I am not able to find any documentation on this. Can you please >>> share >>> >> >>> any >>> >> >>> > document or tutorial on this ? >>> >> >>> > >>> >> >>> > Thanks, >>> >> >>> > Homesh >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> _______________________________________________ >>> >> >>> mod-security-users mailing list >>> >> >>> mod...@li... >>> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >> >>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> >> >>> http://www.modsecurity.org/projects/commercial/rules/ >>> >> >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> >>> >>> >> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> mod-security-users mailing list >>> >> mod...@li... >>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> >> http://www.modsecurity.org/projects/commercial/rules/ >>> >> http://www.modsecurity.org/projects/commercial/support/ >>> >> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> |
