CODEWITHSUNDEEP
apachesecuritydebianapache-modules
vdavid
vdavid

Reputation: 55

Mod_security av_scanning

I installed mod_security with OWASP rules on a Debian Jessie server, and experience the problem that it does not run the "runav.pl" script when I try to upload a file.

I modified the script to create /tmp/filewrite.txt with content of "Test text" when it is run. If I run it by hand it creates the file, but when I upload a file it does not create the above mentioned test file.

Here is the modified runav.pl script:

#!/usr/bin/perl
#
# runav.pl
# Copyright (c) 2004-2011 Trustwave
#
# This script is an interface between ModSecurity and its
# ability to intercept files being uploaded through the
# web server, and ClamAV

my $filename = '/tmp/filewrite.txt';
open(my $fh, '>', $filename);
print $fh "Test text\n";
close $fh;

$CLAMSCAN = "clamdscan";

if ($#ARGV != 0) {
    print "Usage: modsec-clamscan.pl <filename>\n";
    exit;
}

my ($FILE) = shift @ARGV;

$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;

$output = "0 Unable to parse clamscan output [$1]";

if ($error_message =~ m/: Empty file\.?$/) {
    $output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
    $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
    $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
    $output = "1 clamscan: OK";
}

print "$output\n";

And here is the related lines from modsecurity.conf: SecRuleEngine DetectionOnly

SecServerSignature FreeOSHTTP

SecRequestBodyAccess On

SecRequestBodyLimit 20971520
SecRequestBodyNoFilesLimit 131072

SecRequestBodyInMemoryLimit 20971520

SecRequestBodyLimitAction Reject

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadDir /opt/modsecuritytmp/
SecUploadFileMode 0640
SecDebugLog /var/log/apache2/debug.log
SecDebugLogLevel 3
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On

Activated rules are under /etc/modsecurity/activated_rules, and all the other rules work well, but "modsecurity_crs_46_av_scanning.conf".

Does anyone have an idea why it does not do anything with uploaded file?

Upvotes: 1

Views: 534

Answers (0)

Related Questions