Integrating ModSecurity with ClamAV Antivirus

ClamAV is free opensource antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. Here in this article we will look at setting up clamAV in Ubuntu 14.04 LTS server, integrate it with Apache ModSecurity Firewall and scan the uploaded file through a web application.

Install ClamAV

    Install clamav and clamav-daemon from repo

    $ sudo apt-get install clamav clamav-daemon -y

Update clamav malware patterns

    $ sudo freshclam

Start clamav-daemon

    $ sudo /etc/init.d/clamav-daemon start


Add Anti-virus scanning rules in the ModSecurity

    Create a soft link to an Anti-virus rule file. i.e modsecurity_crs_46_av_scanning.conf

    # cd /usr/share/modsecurity-crs/activated_rules
    # ln -s ../optional_rules/modsecurity_crs_46_av_scanning.conf


    Edit configuration in the rule file modsecurity_crs_46_av_scanning.conf
    # nano modsecurity_crs_46_av_scanning.conf

    Here, edit the location of script in the "@inspectfile" operator.

    SecRule FILES_TMPNAMES "@inspectFile /usr/share/modsecurity-crs/util/av-scanning/runav.pl" \
    "phase:2,t:none,block,msg:'Virus found in uploaded    file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity$


    Restart Apache2
    # service apache2 restart

Test the configuration by uploading a test virus file through the upload function of an web application hosted in the server. You can use EICAR test file if you dont want to take risk using real malicious files.
Check modsecurity log if ModSecurity is in DetectionOnly mode, else ModSecurity will do the default action set in the Active Mode. i.e 403 Forbidden error display

Note: File upload service might get little bit sluggish due to scanning task by ClamAV.

Hiding Sensitive Data in Apache ModSecurity Log

We can hide the sensitive data from the audit log of the ModSecurity by using a "sanitiseArg" variable action for log.
Assuming that you have an application that uses the parameters password, oldPassword, and newPassword to transmit, we can write rule:

SecAction phase:5,nolog,pass,\
  sanitiseArg:password,\
  sanitiseArg:oldPassword,\
  sanitiseArg:newPassword

If you dont know the parameters name in advance then you can do something like this:

SecRule ARGS_NAMES password phase:5,nolog,pass,\
  sanitiseMatched

In the following example, we look for anything that resembles a credit card number and then sanitize it:

SecRule ARGS @verifyCC phase:5,nolog,pass,\
  sanitiseMatched

Here, "@verifyCC" is provided by modsecurity for detecting credit card pattern.

Custom Redirection in Apache ModSecurity WAF

We can redirect the user to a specific page when a specific rule get triggered. We can achieve this by directly modifying the original rule or by writing a custom rule which will update the actions of rules. The better way is to write a custom rule which will update the actions of a rule. A modsecurity directive "SecRuleUpdateActionById" will be used.

Syntax: SecRuleUpdateActionById

Example below:

#nano custom_rule_AV_redirect.conf

SecRuleUpdateActionById 950115 "redirect:http://www.technology.com/"
Here, Rule ID 950115  is an ID of modsecurity_crs_46_av_scanning.conf rule that is active.

We have to make symlink of this custom rule into the activation_rules directory of
 /usr/share/modsecurity-crs/ .

Redirecting all 403 status

If you want to set up the default redirection to all the 403 status coming through modsecurity then you can simple use "ErrorDocument" directive of Apache in the configuration file of your site in /etc/apache2/sites-enabled/

Syntax: ErrorDocument

Example:

ErrorDocument 403 https://www.owasp.org