Skip to content

Commit

Permalink
[Minor] lua_scanners - icap - add eset support, adopt lua suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-rosenberg
c-rosenberg committed Oct 1, 2019
1 parent 7285204 commit c2f92d0
Showing 1 changed file with 26 additions and 18 deletions.
44 changes: 26 additions & 18 deletions lualib/lua_scanners/icap.lua
View file
Expand Up @@ -103,8 +103,8 @@ local function icap_check(task, content, digest, rule)
-- Build the icap queries
local options_request = {
"OPTIONS icap://" .. addr:to_string() .. ":" .. addr:get_port() .. "/" .. rule.scheme .. " ICAP/1.0\r\n",
"Host: " .. addr:to_string() .. "\r\n",
string.format("OPTIONS icap://%s:%s/%s ICAP/1.0\r\n", addr:to_string(), addr:get_port(), rule.scheme),
string.format('Host: %s\r\n', addr:to_string()),
"User-Agent: Rspamd\r\n",
"Encapsulated: null-body=0\r\n\r\n",
}
Expand Down Expand Up @@ -192,29 +192,37 @@ local function icap_check(task, content, digest, rule)
Generic Strings:
X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC;
X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader;
Symantec String:
X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation
X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation;
Sophos Strings:
X-Virus-ID: Troj/DocDl-OYC
Kaspersky Web Traffic Security Strings:
X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
X-Response-Info: blocked
X-Virus-ID: no threats
X-Response-Info: blocked
X-Response-Info: passed
Trend Micro IWSVA Strings:
X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1
X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1;
F-Secure Internet Gatekeeper Strings:
X-FSecure-Scan-Result: infected
X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203"
X-FSecure-Infected-Filename: "virus.doc"
ESET File Security for Linux 7.0
X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA;
X-Virus-ID: Trojaner
X-Response-Info: Blocked
]] --

if icap_headers['X-Infection-Found'] ~= nil then
if icap_headers['X-Infection-Found'] then
local _,_,icap_type,_,icap_threat =
icap_headers['X-Infection-Found']:find("Type=(.-); Resolution=(.-); Threat=(.-);$")

Expand All @@ -229,28 +237,28 @@ local function icap_check(task, content, digest, rule)
table.insert(threat_string, icap_threat)
end

elseif icap_headers['X-Virus-ID'] ~= nil and icap_headers['X-Virus-ID'] ~= "no threats" then
elseif icap_headers['X-Virus-ID'] and icap_headers['X-Virus-ID'] ~= "no threats" then
lua_util.debugm(rule.name, task,
'%s: icap X-Virus-ID: %s', rule.log_prefix, icap_headers['X-Virus-ID'])

if string.find(icap_headers['X-Virus-ID'], ', ') then
local vnames = rspamd_str_split(string.gsub(icap_headers['X-Virus-ID'], "%s", ""), ',') or {}
local vnames = lua_util.rspamd_str_split(string.gsub(icap_headers['X-Virus-ID'], "%s", ""), ',') or {}

for _,v in ipairs(vnames) do
table.insert(threat_string, v)
end
else
table.insert(threat_string, icap_headers['X-Virus-ID'])
end
elseif icap_headers['X-FSecure-Scan-Result'] ~= nil and icap_headers['X-FSecure-Scan-Result'] ~= "clean" then
elseif icap_headers['X-FSecure-Scan-Result'] and icap_headers['X-FSecure-Scan-Result'] ~= "clean" then

local infected_filename = ""
local infection_name = "-unknown-"

if icap_headers['X-FSecure-Infected-Filename'] ~= nil then
if icap_headers['X-FSecure-Infected-Filename'] then
infected_filename = string.gsub(icap_headers['X-FSecure-Infected-Filename'], '[%s"]', '')
end
if icap_headers['X-FSecure-Infection-Name'] ~= nil then
if icap_headers['X-FSecure-Infection-Name'] then
infection_name = string.gsub(icap_headers['X-FSecure-Infection-Name'], '[%s"]', '')
end

Expand All @@ -259,7 +267,7 @@ local function icap_check(task, content, digest, rule)
rule.log_prefix, infection_name, infected_filename)

if string.find(infection_name, ', ') then
local vnames = rspamd_str_split(infection_name, ',') or {}
local vnames = lua_util.rspamd_str_split(infection_name, ',') or {}

for _,v in ipairs(vnames) do
table.insert(threat_string, v)
Expand All @@ -286,9 +294,9 @@ local function icap_check(task, content, digest, rule)

local icap_headers = icap_result_header_table(result) or {}
-- Find ICAP/1.x 2xx response
if icap_headers.icap ~= nil and string.find(icap_headers.icap, 'ICAP%/1%.. 2%d%d') then
if icap_headers.icap and string.find(icap_headers.icap, 'ICAP%/1%.. 2%d%d') then
icap_parse_result(icap_headers)
elseif icap_headers.icap ~= nil and string.find(icap_headers.icap, 'ICAP%/1%.. [45]%d%d') then
elseif icap_headers.icap and string.find(icap_headers.icap, 'ICAP%/1%.. [45]%d%d') then
-- Find ICAP/1.x 5/4xx response
--[[
Symantec String:
Expand Down Expand Up @@ -321,17 +329,17 @@ local function icap_check(task, content, digest, rule)
else
local icap_headers = icap_result_header_table(tostring(data))

if icap_headers.icap ~= nil and string.find(icap_headers.icap, 'ICAP%/1%.. 2%d%d') then
if icap_headers['Methods'] ~= nil and string.find(icap_headers['Methods'], 'RESPMOD') then
if icap_headers['Allow'] ~= nil and string.find(icap_headers['Allow'], '204') then
if icap_headers.icap and string.find(icap_headers.icap, 'ICAP%/1%.. 2%d%d') then
if icap_headers['Methods'] and string.find(icap_headers['Methods'], 'RESPMOD') then
if icap_headers['Allow'] and string.find(icap_headers['Allow'], '204') then
add_respond_header('Allow', '204')
end
if icap_headers['Service'] ~= nil and string.find(icap_headers['Service'], 'IWSVA 6.5') then
if icap_headers['Service'] and string.find(icap_headers['Service'], 'IWSVA 6.5') then
add_respond_header('Encapsulated', 'res-hdr=0 res-body=0')
else
add_respond_header('Encapsulated', 'res-body=0')
end
if icap_headers['Server'] ~= nil and string.find(icap_headers['Server'], 'F-Secure ICAP Server') then
if icap_headers['Server'] and string.find(icap_headers['Server'], 'F-Secure ICAP Server') then
local from = task:get_from('mime')
local rcpt_to = task:get_principal_recipient()
local client = task:get_from_ip()
Expand Down

0 comments on commit c2f92d0

Please sign in to comment.