[Mod-security-rules] To add new field in malware detection script.
Brought to you by:
victorhora,
zimmerletw
From: Rakesh B. <rak...@gm...> - 2024-07-05 14:43:41
|
Hi There, I am using modsecurity in my apache web server. In modsecurity we have one rule to block malicious file. Below is the rule. We are detect malware file using antivirus.lua script.Now we are successfully getting Virus name and file name of malicious file. Our requirement is to get md5 hash value of same malicious file ---------Modsecurity Rule-------------- SecRule FILES_TMPNAMES "@inspectFile antivirus.lua" "id:9502120,phase:2,deny,setvar:tx.swrule=1,setvar:tx.msgrule=%{rule.msg},setvar:tx.idrule=%{ rule.id},setvar:tx.severityrule=%{rule.severity},t:none,msg:'Malicious File Upload',logdata:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',tag:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',ver:'antivirus-plugin/1.0.0',severity:'CRITICAL',chain" SecRule TX:ANTIVIRUS-PLUGIN_VIRUS_NAME "@streq %{tx.antivirus-plugin_virus_name}" ---------Modsecurity Rule-------------- Attached is the lua script which we are using currently. Thanks, Rakesh |