Re: [Mod-security-rules] To add new field in malware detection script.
Brought to you by:
victorhora,
zimmerletw
From: Steve H. <ham...@gm...> - 2024-07-06 15:13:20
|
If you want a pure Lua method you are going to have to install a Lua library that will handle that like https://lunarmodules.github.io/md5/manual.html However, based on what it sounds like you are doing I think it might be easiest to create a separate shell script that will get the md5 and from within your Lua script execute the bash script passing it the file path as an argument. So your modSecurity rule would trigger your Lua Script and your Lua script would trigger you bash script. Something like: —— Lua Script — — os.execute(“/path/to/bash/script /path/to/infected/file”) —— Bash Script — — #!/bin/bash virus_md5=$(md5sum $1 | cut -d ' ' -f1) echo $virus_md5 # Then handle whatever you want to do with the md5 sum from within the bash script. > On Jul 5, 2024, at 10:43 AM, Rakesh Bare <rak...@gm...> wrote: > > Hi There, > I am using modsecurity in my apache web server. In modsecurity we have one rule to block malicious file. Below is the rule. We are detect malware file using antivirus.lua script.Now we are successfully getting Virus name and file name of malicious file. Our requirement is to get md5 hash value of same malicious file > > ---------Modsecurity Rule-------------- > > SecRule FILES_TMPNAMES "@inspectFile antivirus.lua" "id:9502120,phase:2,deny,setvar:tx.swrule=1,setvar:tx.msgrule=%{rule.msg},setvar:tx.idrule=%{rule.id <http://rule.id/>},setvar:tx.severityrule=%{rule.severity},t:none,msg:'Malicious File Upload',logdata:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',tag:'Virus %{tx.antivirus-plugin_virus_name} found in uploaded file %{tx.antivirus-plugin_file_name}.',ver:'antivirus-plugin/1.0.0',severity:'CRITICAL',chain" > SecRule TX:ANTIVIRUS-PLUGIN_VIRUS_NAME "@streq %{tx.antivirus-plugin_virus_name}" > > ---------Modsecurity Rule-------------- > > Attached is the lua script which we are using currently. > > > > Thanks, > > Rakesh > > > > > > <antivirus.lua>_______________________________________________ > Mod-security-rules mailing list > Mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-rules |