Re: [mod-security-users] modsecurity 2.0.4(Checking virus by executingscript)
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-01-29 18:58:18
|
That is correct, you would need to run this in phase:2 in order to have access to the uploaded file in the REQUEST_BODY. =20 --=20 Ryan C. Barnett Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 ________________________________ From: Natammai Rajendran, Arun (Cognizant) [mailto:Aru...@co...]=20 Sent: Monday, January 29, 2007 10:52 AM To: Ryan Barnett; mod...@li... Subject: RE: [mod-security-users] modsecurity 2.0.4(Checking virus by executingscript) =20 Fix the issue using the below rule =20 SecRule FILES_TMPNAMES "@inspectFile /local/content/fileupload/test.pl" "log,deny,status:403,phase:2" =20 Before I used phase:1 in secdefaultaction so it not inspecting any uploaded files =20 Regards Arun =20 ________________________________ From: Natammai Rajendran, Arun (Cognizant)=20 Sent: Monday, January 29, 2007 6:17 PM To: 'Ryan Barnett'; mod...@li... Subject: RE: [mod-security-users] modsecurity 2.0.4(Checking virus by executingscript) =20 Hi Ryan, =20 Below find the configuration of file upload.. I checked in modsec debug logs(debug level 9) but it is now inspecting any file using the script =20 SecUploadDir /tmp SecUploadKeepFiles Off SecRule FILES_TMPNAMES:attachFile "@inspectFile /local/apache2/logs/test.sh" t:none =20 I given 777 to test.sh but no use =20 Please let me know what I done wrong =20 Regards, Arun =20 ________________________________ From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com]=20 Sent: Friday, January 26, 2007 10:16 PM To: Natammai Rajendran, Arun (Cognizant); mod...@li... Subject: RE: [mod-security-users] modsecurity 2.0.4(Checking virus by executingscript) =20 Arun, ModSecurity 2.0 no longer has a directive that is used to inspect files, however the functionality still exists. There is a new Operator called "@inspectFile". This Operator works in conjunction with the FILES_TMPNAMES variable to inspect the files. Here is the info from the updated Reference Manual (http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0-rc6/m odsecurity2-apache-reference.html#N1145A). =20 =20 inspectFile Description: Executes the external script/binary given as parameter to the operator against every file extracted from the request. Example: SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" =20 You would still need to have your own AV scanning script to actually scan the file. =20 --=20 Ryan C. Barnett Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Natammai Rajendran, Arun (Cognizant) Sent: Thursday, January 25, 2007 9:33 AM To: mod...@li... Subject: [mod-security-users] modsecurity 2.0.4(Checking virus by executingscript) =20 Hi All, =20 In modsecurity 1.9.4 we can check the uploaded file contains virus or not by executing the script using the below directive =20 SeccUploadApproveScript =20 In modsecurity 2.0.4 how I can execute the script to check for virus in the uploaded file =20 Regards, Arun This e-mail and any files transmitted with it are for the sole use of the intended recipient(s and may contain confidential and privileged information.If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com =09 This e-mail and any files transmitted with it are for the sole use of=20 the intended recipient(s) and may contain confidential and privileged=20 information. If you are not the intended recipient, please contact the sender by=20 reply e-mail and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding,=20 printing or copying of this email or any action taken in reliance on this=20 e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com =09 |