HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Putting a "?" at end of URL to pass the scan. http://havp.hege.li/forum/viewtopic.php?f=3&t=395 |
Page 1 of 1 |
Author: | renanas [ 04 Nov 2008 13:46 ] |
Post subject: | Putting a "?" at end of URL to pass the scan. |
Hello, I noticed that the trick of put a question mark "?" at the end of url works with HAVP. This is a regex trick to cheat some proxys. With you have a blocked file like "http://www.eicar.org/download/eicar_com.zip" and put the "?" at end "http://www.eicar.org/download/eicar_com.zip?" you are allowed to download the file. I'm running the latest version of HAVP with libclam support. I tried to put some regex code to block that trick at the blacklist, but didn't works. Anyone knows how proceed? Renan. |
Author: | Severus [ 04 Nov 2008 15:10 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Hi renanas, sorry, but I can't confirm this bug: 04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test 04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test regards Severus |
Author: | renanas [ 04 Nov 2008 16:12 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Ok, This is my situation: users -> squid -> havp -> web havp.config Code: USER havp GROUP havp DAEMON true PIDFILE /var/run/havp/havp.pid ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY daemon SYSLOGLEVEL info LOG_OKS false PORT 8081 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/br ENABLECLAMLIB true whitelist Code: # Whitelist clamav download *sourceforge.net/*clamav-* # Whitelist Windowsupdate, so RANGE is allowed too *.microsoft.com/* *.windowsupdate.com/* blacklist is empty. squid.conf (havp line only) Code: cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default Any ideia? |
Author: | Severus [ 04 Nov 2008 21:19 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Hi, what about your scanning limits in havp.conf and clamd.conf ? Regards Severus |
Author: | fischerm [ 04 Nov 2008 21:40 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Hi! Havp version? Clamav version? Scanning options? Regards Matthias Hm...only second place... |
Author: | renanas [ 04 Nov 2008 22:09 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Quote: Havp version? Clamav version? Scanning options? Havp 0.89 Clamav 0.92 Just using default libclamav with default setting. Quote: what about your scanning limits in havp.conf and clamd.conf ? Default settings too. Here's my entire config: Code: USER havp
GROUP havp DAEMON true PIDFILE /var/run/havp/havp.pid SERVERNUMBER 8 MAXSERVERS 100 ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY daemon SYSLOGLEVEL info LOG_OKS false LOGLEVEL 0 SCANTEMPFILE /var/tmp/havp/havp-XXXXXX TEMPDIR /var/tmp DBRELOAD 60 TRANSPARENT false Default: NONE PARENTPROXY localhost PARENTPORT 3128 FORWARDED_IP false X_FORWARDED_FOR false PORT 8081 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/br WHITELISTFIRST true WHITELIST /etc/havp/whitelist BLACKLIST /etc/havp/blacklist FAILSCANERROR true SCANNERTIMEOUT 10 RANGE false SCANIMAGES true MAXSCANSIZE 5000000 KEEPBACKBUFFER 200000 KEEPBACKTIME 5 Default: TRICKLING 30 TRICKLINGBYTES 1 MAXDOWNLOADSIZE 0 STREAMSCANSIZE 20000 DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP ENABLECLAMLIB true CLAMDBDIR /path/to/directory CLAMBLOCKBROKEN false CLAMBLOCKENCRYPTED false CLAMBLOCKMAX false CLAMMAXSCANSIZE 20 CLAMMAXFILES 50 CLAMMAXFILESIZE 100 CLAMMAXRECURSION 8 CLAMMAXRATIO 250 |
Author: | renanas [ 04 Nov 2008 22:17 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Severus wrote: Hi renanas, sorry, but I can't confirm this bug: 04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test 04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test regards Severus Could you send me our config file? |
Author: | hege [ 04 Nov 2008 22:30 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters. Please show some HAVP logs to prove that both cases are even processed by HAVP! Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP. |
Author: | Severus [ 04 Nov 2008 22:37 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Hi renanas, renanas wrote: Clamav 0.92 Your clamav is pretty old. I remember there have been some issues with eicar in 0.92 and 0.93. You should first update to 0.94.1 Regards Severus |
Author: | renanas [ 04 Nov 2008 22:56 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
hege wrote: There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters. Please show some HAVP logs to prove that both cases are even processed by HAVP! Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP. Just got it. That's something with "USER -> SQUID -> HAVP -> WEB" ambient. I tested the access only with HAVP (USER -> HAVP -> WEB) and the scan block even i use "?" at the end of url. Now i have to found the SQUID fail. Regards, Renan. |
Author: | renanas [ 07 Nov 2008 16:56 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
versions: squid-2.6.STABLE6-5.el5_1.3 havp-0.89-2.itflex clamav-0.94.1-1.el5.rf clamav-devel-0.94.1-1.el5.rf clamav-db-0.94.1-1.el5.rf squid.conf cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default USER -> HAVP /var/log/havp/access.log 07/11/2008 11:29:01 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK 07/11/2008 11:29:05 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip? 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK USER -> SQUID -> HAVP /var/log/squid/access.log 1226065469.573 1292 10.0.2.10 TCP_MISS/200 1022 GET http://www.eicar.org/download/eicarcom2.zip - DEFAULT_PARENT/localhost text/html - PASS TO HAVP... /var/log/havp/access.log 07/11/2008 11:50:26 127.0.0.1 GET 200 http://www.eicar.org/download/eicarcom2.zip 365+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK But, now with "?" /var/log/squid/access.log 1226065489.665 1381 10.0.2.10 TCP_MISS/200 782 GET http://www.eicar.org/download/eicarcom2.zip? - DIRECT/88.198.38.136 application/zip - NOT PASS TO HAVP and starts download the virus. Looking at the access.log of squid, DIRECT/88.198.38.136 What I need to configure on squid to pass url ended with "?" to havp scan? |
Author: | OlivierW [ 29 Mar 2009 01:32 ] |
Post subject: | Re: Putting a "?" at end of URL to pass the scan. |
Hello renanas, My answer is certainly very late... anyway, it may help others persons. In squid.conf, you have : Code: # TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. # Note: never_direct overrides this option. #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? Remove the question mark to get : Code: hierarchy_stoplist cgi-bin Problem solved |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |