1
General Discussion / c-icap + clamAV scan storage array
« on: January 04, 2019, 04:22:18 pm »
Hello
I'm here for a particular purpose and I know OPNsense is not make for this particular project but if someone has good knowledge on this subject or use it for similar project... So here my problem, I need to use c-icap and clamAV for scanning files on an Isilon storage array.
So first I used this How-To http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html on CentOS whithout good result... So in my research I saw that OPNsense integrating plug-in c-icap and clamAV and I'm here ! First of all OPNsense is a discovery for me and it's really well done !
So I've installed c-icap and clamAV plug-ing and there are working perfectly together, some tests :
I've download an EICAR virus on the Isilon storage array and with a c-icap command I've this result below who found the EICAR virus EICAR-STANDARD-ANTIVIRUS-TEST
And the log access file show this (/var/log/c-icap/access.log)
and if I run
the OPNsense server return this
i think it's pretty good
So I configure my Isilon array like this for sending ICAP request, with this address :
The Isilon cluster send requests to OPNsense each minute, I can see it in the access.log :
(192.168.222.220 and 192.168.222.221 = Isilon array)
When I download an EICAR virus on the storage array nothing is happening in log file or whatever... I don't know where to look from here, did you have some ideas ?
Thank's a lot for reading this long post and for your help !
Sorry for my bad english, it's not my native language
I'm here for a particular purpose and I know OPNsense is not make for this particular project but if someone has good knowledge on this subject or use it for similar project... So here my problem, I need to use c-icap and clamAV for scanning files on an Isilon storage array.
So first I used this How-To http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html on CentOS whithout good result... So in my research I saw that OPNsense integrating plug-in c-icap and clamAV and I'm here ! First of all OPNsense is a discovery for me and it's really well done !
So I've installed c-icap and clamAV plug-ing and there are working perfectly together, some tests :
I've download an EICAR virus on the Isilon storage array and with a c-icap command I've this result below who found the EICAR virus EICAR-STANDARD-ANTIVIRUS-TEST
Code: [Select]
root@OPNsense:/NFS # c-icap-client -f eicar_com.zip -i 192.168.222.153
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344
PK
▒(<▒QhDD eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK
And the log access file show this (/var/log/c-icap/access.log)
Code: [Select]
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 OPTIONS echo 200
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 RESPMOD echo 200
and if I run
Code: [Select]
c-icap-client -i 192.168.222.153
the OPNsense server return this
Code: [Select]
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344
OPTIONS:
Allow 204: Yes
Preview: 1024
Keep alive: Yes
ICAP HEADERS:
ICAP/1.0 200 OK
Methods: RESPMOD, REQMOD
Service: C-ICAP/0.5.5 server - Echo demo service
ISTag: CI0001-XXXXXXXXX
Transfer-Preview: *
Options-TTL: 3600
Date: Fri, 04 Jan 2019 14:12:27 GMT
Preview: 1024
Allow: 204
X-Include: X-Authenticated-User, X-Authenticated-Groups
Encapsulated: null-body=0
i think it's pretty good
So I configure my Isilon array like this for sending ICAP request, with this address :
Code: [Select]
icap://OPNsense.demo.lan:1344/avscan
The Isilon cluster send requests to OPNsense each minute, I can see it in the access.log :
(192.168.222.220 and 192.168.222.221 = Isilon array)
Code: [Select]
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
When I download an EICAR virus on the storage array nothing is happening in log file or whatever... I don't know where to look from here, did you have some ideas ?
Thank's a lot for reading this long post and for your help !
Sorry for my bad english, it's not my native language