New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClamAV with mod security #1610
Comments
Hi @intelbg, Please check the most recent version of v3/master. The code was recently implemented there. |
I did git clone -b v3/master https://github.com/SpiderLabs/ModSecurity |
Can you please provide me md5 sum of the specific file? |
@intelbg make sure you are cloning the repository into an empty directory. |
@zimmerle I am sure it's cloned in empty directory. Is my command for git clone right? |
@intelbg inspecFile support was added at 1866a3a. See https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/operators/inspect_file.cc for reference. "$ git clone -b v3/master https://github.com/SpiderLabs/ModSecurity" should work to clone to a new directory. To update your local repository with the current master "$git pull" should do the trick. |
Hi @intelbg, @zimmerle, @victorhora, I've been digging into libmodsecurity + clamav integration, and googled to this issue, so I decided to post some of my results here instead of creating another one. The v3/master branch, as of 480a2f8, does have working support for the @inspectFile operator. Test env:
ModSecurity config part:
The
Test request for good file:
Test request for bad file (http://www.eicar.org/86-0-Intended-use.html):
Log for bad file:
Also, every run of external script from
The 18473 in the above example is a pid of nginx worker process - so there is a fork/exec every time Finally, I had to modify
Corresponding parts of ModSecurity debug log, good case:
Bad case:
That makes me think that there is an error in https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.0/master/util/av-scanning/runav.pl - but I'm not sure as I don't have any knowledge on how Hope this helps someone. |
For future reference: #1646 (comment) |
Hello,
I wondered if this is the right place where to ask and I am sorry if it's not. I would like to use clamAV scanning with mod security in nginx and found the following guide:
https://malware.expert/scan-every-file-clam-antivirus-scanner-modsecurity/
Although I receive the following error on the rule:
SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl"
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'399999'"
Operator: InspectFile is not yet supported. Is it possible to use another operator to accomplish this task or is it planned to be implemented? I am using libmodsecurity version 3 with nginx connector and cars v3 too.
Thank you in advance.
The text was updated successfully, but these errors were encountered: