OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • c-icap + clamAV scan storage array
« previous next »
  • Print
Pages: [1]

Author Topic: c-icap + clamAV scan storage array  (Read 4428 times)

roya

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
c-icap + clamAV scan storage array
« on: January 04, 2019, 04:22:18 pm »
Hello  :)

I'm here for a particular purpose and I know OPNsense is not make for this particular project but if someone has good knowledge on this subject or use it for similar project... So here my problem, I need to use c-icap and clamAV for scanning files on an Isilon storage array.

So first I used this How-To http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html on CentOS whithout good result... So in my research I saw that OPNsense integrating plug-in  c-icap and clamAV and I'm here ! First of all OPNsense is a discovery for me and it's really well done !

So I've installed c-icap and clamAV plug-ing and there are working perfectly together, some tests :

I've download an EICAR virus on the Isilon storage array and with a c-icap command I've this result below who found the EICAR virus EICAR-STANDARD-ANTIVIRUS-TEST

Code: [Select]
root@OPNsense:/NFS # c-icap-client -f eicar_com.zip -i 192.168.222.153
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344

PK
▒(<▒QhDD        eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK

And the log access file show this (/var/log/c-icap/access.log)

Code: [Select]
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 OPTIONS echo 200
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 RESPMOD echo 200

and if I run
Code: [Select]
c-icap-client -i 192.168.222.153
the OPNsense server return this
Code: [Select]
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344

OPTIONS:
        Allow 204: Yes
        Preview: 1024
        Keep alive: Yes

ICAP HEADERS:
        ICAP/1.0 200 OK
        Methods: RESPMOD, REQMOD
        Service: C-ICAP/0.5.5 server - Echo demo service
        ISTag: CI0001-XXXXXXXXX
        Transfer-Preview: *
        Options-TTL: 3600
        Date: Fri, 04 Jan 2019 14:12:27 GMT
        Preview: 1024
        Allow: 204
        X-Include: X-Authenticated-User, X-Authenticated-Groups
        Encapsulated: null-body=0

i think it's pretty good

So I configure my Isilon array like this for sending ICAP request, with this address :

Code: [Select]
icap://OPNsense.demo.lan:1344/avscan


The Isilon cluster send requests to OPNsense each minute, I can see it in the access.log :
(192.168.222.220 and 192.168.222.221 = Isilon array)

Code: [Select]
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200

When I download an EICAR virus on the storage array nothing is happening in log file or whatever... I don't know where to look from here, did you have some ideas ?

Thank's a lot for reading this long post and for your help ! :)

Sorry for my bad english, it's not my native language :-\
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2769
  • Karma: 200
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: c-icap + clamAV scan storage array
« Reply #1 on: January 04, 2019, 04:35:41 pm »
I would prefer to check what it is doing on an upload. Downloads are usually never checked because it is expected that people download a file more frequently than they upload it.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6767
  • Karma: 494
    • View Profile
Re: c-icap + clamAV scan storage array
« Reply #2 on: January 04, 2019, 07:09:50 pm »
I would start with a tcpdump in Port 1344 to see whats going on
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

fabian

  • Hero Member
  • *****
  • Posts: 2769
  • Karma: 200
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: c-icap + clamAV scan storage array
« Reply #3 on: January 04, 2019, 09:23:25 pm »
@mimugmail: maybe also a problem with http://c-icap.sourceforge.net/c-icap.conf-0.1.x.html#tag_client_access or icap_access. depending on what the server responds.
Logged

roya

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: c-icap + clamAV scan storage array
« Reply #4 on: February 01, 2019, 10:22:01 am »
Hello :)

Thank's a lot @fabian and @mimugmail for you time and your answer !

I checked the file on upload and analyze the network trafic with tcpdump but nothing interesting.

After this I go back to my isilon array for check the config and the antivirus menu show me that the link between my c-icap server and my isilon is now inactive  >:(

Some research show me that c-icap + clamav it's not supported by isilon OneFS...
http://doc.isilon.com/onefs/7.0.0/help/en-us/GUID-5BED95C1-FFBA-425F-A6ED-4EE4B425B0CD.html

I think's it was a bug when the menu showed me a active link

BUT I don't give up now, in the log file of server.log I see some IStag problem
Code: [Select]
Fri Feb  1 09:52:23 2019, 80937/3085000704, recomputing istag ...
I will look from this side, I will post here if found something :)

Thank's again for your help ! and if you have some idea with istag I take it ;)
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • c-icap + clamAV scan storage array
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2