eCAP

How to use Squid deny_info with ClamAV adapter?

Asked by John Bull

I recently implemented the eCAP library and the ClamAV adapter to block malicious content. I would now like to notify the user of why a particular site was blocked but my deny_info message is failing. My configuration is posted below.

I am using:
Squid 3.2.0.9
libecap-0.2.0
ecap_clamav_adapter-0.2.1

Log format:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %adapt::<last_h

Log Output when a virus is encountered:
192.168.0.119 TCP_MISS/403 4062 GET http://www.rexswain.com/eicar.zip - HIER_DIRECT/69.36.190.48 text/html X-Virus-ID:%20Eicar-Test-Signature%0D%0A

### eCAP / Virus Detection

ecap_enable on

acl multimedia rep_mime_type -i ^image/
acl multimedia rep_mime_type -i video
acl multimedia rep_mime_type -i audio

loadable_modules /usr/lib/ecap_clamav_adapter.so

ecap_service eReqmod reqmod_precache bypass=1 uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD staging_dir=/var/spool/virus_scan/XXXXXX on_error=allow
ecap_service eRespmod respmod_precache bypass=1 uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD staging_dir=/var/spool/virus_scan/XXXXXX on_error=allow

adaptation_service_set reqFilter eReqmod
adaptation_service_set respFilter eRespmod

adaptation_access reqfilter deny multimedia
adaptation_access reqFilter allow all

adaptation_access respFilter deny multimedia
adaptation_access respFilter allow all

### Banned Malicious Content ACL

acl malicious_content rep_header -i ^X-Virus-ID
http_access deny malicious_content
#http_reply_access deny malicious_content
deny_info http://192.168.0.40/notices/malicious_content.html acl malicious_content rep_header -i ^X-Virus-ID

Cache log error message:
ACL::checklistMatches WARNING: 'malicious_content' ACL is used but there is no HTTP reply -- not matching.

Thank you,
John

Question information

Language:
English Edit question
Status:
Solved
For:
eCAP Edit question
Assignee:
No assignee Edit question
Solved by:
John Bull
Solved:
Last query:
Last reply:
Revision history for this message
Alex Rousskov (rousskov) said : 		#1

There are several problems with your squid.conf, including:

1) http_access is checked when Squid receives the request from the client. There is no HTTP response at that time. This is why you get an "ACL is used but there is no HTTP reply" warning.

2) http_access is checked before eCAP adaptations take place. So even if the adapter adds an X-Virus-ID header, it would be too late to check for that using http_access. You could use adapted_http_access, but you would still have problem #1 mentioned above.

3) X-Virus-ID is meta information, not an HTTP header. It is not a part of the adapted HTTP request or response. It is a result of the eCAP transaction, stored separately from the HTTP headers involved in the transaction. You can log X-Virus-ID using %adapt::<last_h, but the rep_header ACL does not look at that meta information.

4) Your deny_info line is malformed. When you specify the ACL with deny_info, specify just the name of that ACL (e.g.,. malicious_content). Do not provide the definition of that ACL as well. That ACL must be defined earlier and used in http_access or similar. Search for a deny_info example in squid.conf.documented.

Try removing the malicious_content ACL completely. The ClamAV adapter should automagically tell Squid to block messages with viruses (using eCAP API), and Squid should use deny_info for blocking.

Revision history for this message
John Bull (jbull) said : 		#2

Thank you, this information has been very helpful. I now have a nice custom information page.

John