icap SOPHOS SAVDI and custom errorpage

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

icap SOPHOS SAVDI and custom errorpage

David Webb

I've setup

squid -v
Squid Cache: Version 3.3.8

on RHEL 7.1

and have configured things so that  virus scanning with  Sophos' SAVDI
works and can get to a custom error page however I can't seem to find
anyway of getting the name of the detected virus passed across to the  
custom error page and displayed.

The appropriate part of my squid.conf  is


acl http_status_403 http_status 403
acl virus_found rep_header X-Blocked  -i \Virus found during virus scan\.
#
icap_enable on
adaptation_access  sophosicap  allow all
icap_service  sophosicap  respmod_precache icap://127.0.0.1:4020/sophos
http_reply_access deny http_status_403 virus_found
deny_info ERR_MDX_VIRUS_FOUND  virus_found

(I'm not sure if this is the best way of doing things but it was the
only way I could find which worked.
The deny_info documentation
http://www.squid-cache.org/Versions/v3/3.3/cfgman/deny_info.html
seemed to suggest that I could use the servicename sophosicap

"

The acl is typically the last acl on the http_access deny line which
        denied access. The exceptions to this rule are:
        - When Squid needs to request authentication credentials. It's then
          the first authentication related acl encountered
        - When none of the http_access lines matches. It's then the last
          acl processed on the last http_access line.
        - When the decision to deny access was made by an adaptation service,
          the acl name is the corresponding eCAP or ICAP service_name.

"

but I couldn't work out how to get this to work.


  )

As I said though none of the custom errorpage variables from
http://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
seem to get back the virus name from SAVDI.

The only place I have found the virus name reported is in the icap_log I
setup  -
with format :

logformat icap_squid2 %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs
%icap::<st  %icap::rm %icap::ru %un -/%icap::<A - %icap::<h


1447168691.715     15 10.2.213.153 ICAP_MOD/200 703 RESPMOD
icap://127.0.0.1:4020/sophos - -/127.0.0.1 -
ISTag:%20%221-02-3-60-0-5-20-231-462227D3%22%0D%0AService:%20Sophos%20Anti-Virus%20SAVDI/ICAP%0D%0ADate:%20Tue,%2010%20Nov%202015%2015:18:11%20GMT%0D%0AX-HRESULT:%2000040203%0D%0AX-Virus-ID:%20EICAR-AV-Test%0D%0AX-Infection-Found:%20Type=0;%20Resolution=2;%20Threat=EICAR-AV-Test;%0D%0AX-Violations-Found:%201%0D%0A%20%20%20%20%20%20-%0D%0A%20%20%20%20%20%20EICAR-AV-Test%0D%0A%20%20%20%20%20%20-%0D%0A%20%20%20%20%20%200%0D%0AEncapsulated:%20res-hdr=0,%20null-body=345%0D%0A


Is there anyway of getting this reported virusname (Virus-ID)  into the
custom error page ?
Has anyone else got SAVDI working with Squid icap ?


Thanks


--

David Webb  (CISSP-ISSAP)
Information Systems Security Architecture Professional
IT Security team leader
CCSS
Middlesex University




---------------------------------------------------------------------------


Please note that Middlesex University's preferred way of receiving all correspondence is via email in line with our Environmental Policy. All incoming post to Middlesex University is opened and scanned by our digital document handler, CDS, and then emailed to the recipient.
 
If you do not want your correspondence to Middlesex University processed in this way please email the recipient directly. Parcels, couriered items and recorded delivery items will not be opened or scanned by CDS.  There are items which are "exceptions" which will be opened by CDS but will not be scanned a full list of these can be obtained by contacting the University.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
I try to use the configuration given in the previous post with: Squid 4.9 and
Sophos SAVDI 2.6.
If I download a virus file, the Squid sends the file for scanning and is
detected by Sophos SAVDI (I find it in logs) but it is not blocked by Squid
(I can download it).
The problem I think is in the response received by the Squid after the scan
but I do not know where.
Has anyone managed to make this solution functional?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

Amos Jeffries
Administrator
On 9/01/20 10:22 pm, netadmin wrote:
> I try to use the configuration given in the previous post

FYI: this post started a brand new thread, there is no previous post
visible to us. Please provide a direct reference to the post and/or
config file in question.


> with: Squid 4.9 and
> Sophos SAVDI 2.6.
> If I download a virus file, the Squid sends the file for scanning and is
> detected by Sophos SAVDI (I find it in logs) but it is not blocked by Squid
> (I can download it).
> The problem I think is in the response received by the Squid after the scan
> but I do not know where.
> Has anyone managed to make this solution functional?
>

I assume the config uses the AV software as an ICAP service?
That has been made working by many AFAIK, with several different AV
software.

It is most likely that the ICAP service is either telling Squid it can
start delivering the response early before it finds the virus payload.
Or, producing the wrong response and thus causing Squid to deliver the
content.


To help we are likely to need your squid.conf details, the access.log
entries that show the transaction(s) you know are wrong, and the
icap.log content.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
This post was updated on .
I'm sorry I didn't know how the list I posted works.
Direct reference is:
http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-SOPHOS-SAVDI-and-custom-errorpage-td4674469.html

I will also post the required information as soon as I restore the
configuration on a test server.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

Amos Jeffries
Administrator
On 10/01/20 11:37 pm, netadmin wrote:
> squid.conf
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377857/squid.conf>

Okay, so you have taken the part of David's config which sends traffic
to ICAP, but not the part which generates a custom 403 message for the
client.

That means whatever SAVDI is providing to Squid via ICAP is being
delivered to the end-client.

> access.log
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377857/access.log>

Notice the "Content-Length: 0" in the response headers delivered to the
client ...

> icap.log
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377857/icap.log>
> Sophos_SAVDI.log
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377857/Sophos_SAVDI.log>  
>

 ... and in both these the HTTP response given to SAVDI was 184 bytes long.


SAVDI is truncating infected payloads and telling Squid to deliver a
0-length response instead of the infection. So the setup is working fine
- though not with the log entries you were expecting to see.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
I also tried with the settings from David Webb's post ie:
acl http_status_403 http_status 403
acl virus_found rep_header X-Blocked -i \Virus found during virus scan\.

I tried both options:
http_reply_access deny http_status_403 virus_found
and
adapted_http_access deny http_status_403 virus_found

but something is wrong, I can download the test file (eicar).




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

Amos Jeffries
Administrator
On 11/01/20 7:43 am, netadmin wrote:

> I also tried with the settings from David Webb's post ie:
> acl http_status_403 http_status 403
> acl virus_found rep_header X-Blocked -i \Virus found during virus scan\.
>
> I tried both options:
> http_reply_access deny http_status_403 virus_found
> and
> adapted_http_access deny http_status_403 virus_found
>
> but something is wrong, I can download the test file (eicar).
>

There are two problems here.

 *  The string SAVDI adds has no '.' at the end. The regex you have says
(with "\.") that is mandatory.
  - remove that bit of the regex

 * SAVDI is producing status 200. So the 403 status check will not work
for you.
  - remove the http_status_403.

The access.log you showed earlier say that SAVDI is adding both of these
headers which you could use:

 X-Blocked: Virus found during virus scan
 X-Blocked-By: Sophos Anti-Virus



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
Thank you for your time, patience and lessons learned.
Now it is all functional and I can no longer download the test file neither
by clicking nor with Save link as.
I will come back with a post that includes the necessary settings for both
Sophos SAVDI version 2.6 (I highly recommend it for scanning Squid traffic
and antivirus for e-mail) but also for Squid version 4.9 (I have been using
it for 10 years and it is an extraordinary tool for network traffic
management).

Thanks again Amos!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: icap SOPHOS SAVDI and custom errorpage

netadmin
Configurations for Sophos-SAVDI (savdid.conf):
> threadcount: <xy>
Normally it should be at least the maximum of customers.
> loglevel: 0
> address: 127.0.0.1
Configurations for Squid-ICAP (squid.conf):
> acl virus_found rep_header X-Blocked -i \ Virus found during virus scan
> http_reply_access deny virus_found
> access_log daemon: /var/log/access.log virus_found
> icap_log daemon: /var/log/icap.log icap_squid
> deny_info ERR_ACCESS_DENIED virus_found
> icap_enable on
> icap_service sophosicap respmod_precache icap: //127.0.0.1: 4020 / sophos
> adaptation_access sophosicap allow all
Configurations for Squid-ssl-bump (squid.conf):
> http_port <IP>: <port> ssl-bump \
cert = / usr / local / squid / ssl_cert / myCA.pem \
generate-host-certificates = on dynamic_cert_mem_cache_size = 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
> sslcrtd_program / usr / local / squid / libexec / security_file_certgen -s
> / var / lib / ssl_db -M 4MB



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users