Hello :)
I'm here for a particular purpose and I know OPNsense is not make for this particular project but if someone has good knowledge on this subject or use it for similar project... So here my problem, I need to use c-icap and clamAV for scanning files on an Isilon storage array.
So first I used this How-To http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html (http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html) on CentOS whithout good result... So in my research I saw that OPNsense integrating plug-in c-icap and clamAV and I'm here ! First of all OPNsense is a discovery for me and it's really well done !
So I've installed c-icap and clamAV plug-ing and there are working perfectly together, some tests :
I've download an EICAR virus on the Isilon storage array and with a c-icap command I've this result below who found the EICAR virus EICAR-STANDARD-ANTIVIRUS-TEST
root@OPNsense:/NFS # c-icap-client -f eicar_com.zip -i 192.168.222.153
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344
PK
▒(<▒QhDD eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK
And the log access file show this (/var/log/c-icap/access.log)
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 OPTIONS echo 200
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 RESPMOD echo 200
and if I run
c-icap-client -i 192.168.222.153
the OPNsense server return this
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344
OPTIONS:
Allow 204: Yes
Preview: 1024
Keep alive: Yes
ICAP HEADERS:
ICAP/1.0 200 OK
Methods: RESPMOD, REQMOD
Service: C-ICAP/0.5.5 server - Echo demo service
ISTag: CI0001-XXXXXXXXX
Transfer-Preview: *
Options-TTL: 3600
Date: Fri, 04 Jan 2019 14:12:27 GMT
Preview: 1024
Allow: 204
X-Include: X-Authenticated-User, X-Authenticated-Groups
Encapsulated: null-body=0
i think it's pretty good
So I configure my Isilon array like this for sending ICAP request, with this address :
icap://OPNsense.demo.lan:1344/avscan
(https://i.ibb.co/cJc8Pfb/screenshot-65.png) (https://ibb.co/p2vKgVW)
The Isilon cluster send requests to OPNsense each minute, I can see it in the access.log :
(192.168.222.220 and 192.168.222.221 = Isilon array)
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
When I download an EICAR virus on the storage array nothing is happening in log file or whatever... I don't know where to look from here, did you have some ideas ?
Thank's a lot for reading this long post and for your help ! :)
Sorry for my bad english, it's not my native language :-\
I would prefer to check what it is doing on an upload. Downloads are usually never checked because it is expected that people download a file more frequently than they upload it.
I would start with a tcpdump in Port 1344 to see whats going on
@mimugmail: maybe also a problem with http://c-icap.sourceforge.net/c-icap.conf-0.1.x.html#tag_client_access or icap_access. depending on what the server responds.
Hello :)
Thank's a lot @fabian and @mimugmail for you time and your answer !
I checked the file on upload and analyze the network trafic with tcpdump but nothing interesting.
After this I go back to my isilon array for check the config and the antivirus menu show me that the link between my c-icap server and my isilon is now inactive >:(
Some research show me that c-icap + clamav it's not supported by isilon OneFS...
http://doc.isilon.com/onefs/7.0.0/help/en-us/GUID-5BED95C1-FFBA-425F-A6ED-4EE4B425B0CD.html
I think's it was a bug when the menu showed me a active link
BUT I don't give up now, in the log file of server.log I see some IStag problem
Fri Feb 1 09:52:23 2019, 80937/3085000704, recomputing istag ...
I will look from this side, I will post here if found something :)
Thank's again for your help ! and if you have some idea with istag I take it ;)