an open source, cross-platform web application firewall (WAF) module developed by Trustwave\u2019s SpiderLabs. Known as the \u201cSwiss Army Knife\u201d of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.<\/em><\/p>\n\n\n\n It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n<\/blockquote>\n\n\n\n What Can ModSecurity Do?<\/p>\n\n\n\n ClamAV<\/a> on the other hand is<\/em> an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats<\/em>.<\/p>\n\n\n\n ModSecurity has the ability to understand the Apart from the ability to extract uploaded files, ModSecurity can as well, with integration with other tools such ClamAV, validate the uploaded files.<\/p>\n\n\n\n ClamAV provides scripts that can be used to scan the file to detect trojans, viruses, malware & other malicious threats<\/em>.<\/p>\n\n\n\n Follow the links below to install ModSecurity and ClamAV;<\/p>\n\n\n\n Install and Configure ModSecurity with Apache on Ubuntu<\/a><\/p>\n\n\n\n Configure LibModsecurity with Apache on CentOS<\/a><\/p>\n\n\n\n Install and use ClamAV on Ubuntu<\/a><\/p>\n\n\n\n You can find how to install and setup ClamAV on other Linux distros.<\/p>\n\n\n\n Note<\/strong>: We run our tests on an Ubuntu 20.04 system.<\/em><\/p>\n\n\n\n To enable file upload validation using ModSecurity, you need to create a perl script that uses ClamAV command line anti-virus scanner, In this tutorial, we will place our scanner script on the Paste the content below to create a ClamAV scanner script, Make the script executable;<\/p>\n\n\n\n Next, you need to create a custom ModSecurity rule to intercept file upload.<\/p>\n\n\n\n In our setup, we have specified the location of ModSecurity rules file in our Apache site configuration file as, See below;<\/p>\n\n\n\n Below are the contents of the ModSecurity rules file;<\/p>\n\n\n\n Therefore, create a custom file scannner\/validation rule for ModSecurity. ModSecurity rules are defined using the The syntax of a rule is;<\/p>\n\n\n\n In this setup, we name our custom rules file as Below is the rule configuration;<\/p>\n\n\n\n Next, include the rule in the rules file.<\/p>\n\n\n\n Your rules file now looks like;<\/p>\n\n\n\n Check Apache configuration syntax;<\/p>\n\n\n\n If you get If you have test environment, you can download test malicious files from Eicar<\/a> and try to upload to your site.<\/p>\n\n\n\n While you upload, be sure to tail both Apache error log and ModSecurity audit log files.<\/p>\n\n\n\n For example, in the screenshot below, I tried to upload the eicar_com.zip<\/a> on my WordPress and this is the result;<\/p>\n\n\n\n And the ModSecurity audit logs;<\/p>\n\n\n\n And that is it!<\/p>\n\n\n\n ModSecurity v2 Reference Manual<\/a><\/p>\n\n\n\n Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n Create Kibana Visualization Dashboards for ModSecurity Logs<\/a><\/p>\n\n\n\n Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n\n
Using ModSecurity and ClamAV to Intercep Malicious File Upload<\/h2>\n\n\n\n
multipart\/form-data<\/strong><\/code> encoding which is used for file uploads. This enables ModSecurity to extract the uploaded files from the request and store on a specified file system location.<\/p>\n\n\n\nInstall and Configure ModSecurity<\/h3>\n\n\n\n
Install and Configure ClamAV<\/h3>\n\n\n\n
Create ModSecurity-ClamAV File Validation Script<\/h3>\n\n\n\n
clamscan<\/strong><\/code>, to extract the full path of the file being uploaded and scan for any malicious threat.<\/p>\n\n\n\n\/etc\/apache2\/modsecurity.d\/<\/strong><\/code> directory. This is however, not a standard location and you can place it anywhere on your system.<\/p>\n\n\n\n\/etc\/apache2\/modsecurity.d\/modsec_clamav.pl<\/code><\/strong>. You can as well choose any name for your script.<\/p>\n\n\n\ncat > \/etc\/apache2\/modsecurity.d\/modsec_clamav.pl << 'EOL'\n#!\/usr\/bin\/perl\n \n$CLAMSCAN = \"\/usr\/bin\/clamscan\";\n \nif (@ARGV != 1) {\n print \"Usage: modsec_clamav.pl <filename>\\n\";\n exit;\n}\n \nmy ($FILE) = @ARGV;\n \n$cmd = \"$CLAMSCAN --stdout --disable-summary $FILE\";\n$input = `$cmd`;\n$input =~ m\/^(.+)\/;\n$error_message = $1;\n \n$output = \"0 Unable to parse clamscan output\";\n \nif ($error_message =~ m\/: Empty file\\.$\/) {\n $output = \"1 empty file\";\n}\nelsif ($error_message =~ m\/: (.+) ERROR$\/) {\n $output = \"0 clamscan: $1\";\n}\nelsif ($error_message =~ m\/: (.+) FOUND$\/) {\n $output = \"0 clamscan: $1\";\n}\nelsif ($error_message =~ m\/: OK$\/) {\n $output = \"1 clamscan: OK\";\n}\n \nprint \"$output\\n\";\nEOL<\/code><\/pre>\n\n\n\nchmod +x \/etc\/apache2\/modsecurity.d\/modsec_clamav.pl<\/code><\/pre>\n\n\n\nCreate ModSecurity Rule to Intercept File Upload<\/h3>\n\n\n\n
\/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/strong><\/code>.<\/p>\n\n\n\nless \/etc\/apache2\/sites-available\/wordpress.conf<\/code><\/pre>\n\n\n\n<VirtualHost *:80>\n ServerAdmin webmaster@kifarunix-demo.com\n ServerName wp.kifarunix-demo.com\n DocumentRoot \/var\/www\/html\/wp.kifarunix-demo.com\n modsecurity on\n modsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n <Directory \/var\/www\/html\/wp.kifarunix-demo.com>\n AllowOverride All\n <\/Directory>\n\n ErrorLog \/var\/log\/apache2\/wp.error.log\n CustomLog \/var\/log\/apache2\/wp.access.log combined\n<\/VirtualHost><\/code><\/pre>\n\n\n\nless \/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code><\/pre>\n\n\n\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"<\/code><\/pre>\n\n\n\nSecRule<\/code><\/strong> directive.<\/p>\n\n\n\nSecRule VARIABLES \"OPERATOR\" \"TRANSFORMATIONS,ACTIONS\"<\/code><\/pre>\n\n\n\n\/etc\/apache2\/modsecurity.d\/modsec_clamav.conf<\/strong><\/code>.<\/p>\n\n\n\ncat \/etc\/apache2\/modsecurity.d\/modsec_clamav.conf<\/code><\/pre>\n\n\n\nSecRule FILES_TMPNAMES \"@inspectFile \/etc\/apache2\/modsecurity.d\/modsec_clamav.pl\" \\\n \"id:'400001', \\\n phase:2, \\\n t:none, \\\n deny, \\\n log, \\\n msg:'Infected File upload detected', \\\n tag:'MALICIOUS_SOFTWARE\/VIRUS'\"<\/code><\/pre>\n\n\n\necho 'Include \"\/etc\/apache2\/modsecurity.d\/modsec_clamav.conf\"' >> \/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code><\/pre>\n\n\n\nless \/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code><\/pre>\n\n\n\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/modsec_clamav.conf\"<\/code><\/pre>\n\n\n\napachectl configtest<\/code><\/pre>\n\n\n\nSyntax OK<\/code><\/strong>, then proceed to restart\/reload Apache;<\/p>\n\n\n\nsystemctl restart apache2<\/code><\/pre>\n\n\n\nTesting the Interception of Malicious File Upload with ModSecurity and ClamAV<\/h4>\n\n\n\n
![\"Intercept](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/03\/intercept-file-uploads-modsec.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\ntail -f \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n---i6mkrLhp---H--\nModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `InspectFile' with parameter `\/etc\/apache2\/modsecurity.d\/modsec_clamav.pl' against variable `FILES_TMPNAMES:' (Value: `' ) [file \"\/etc\/apache2\/modsecurity.d\/modsec_clamav.conf\"] [line \"1\"] [id \"400001\"] [rev \"\"] [msg \"Infected File upload detected\"] [data \"\"] [severity \"0\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [tag \"MALICIOUS_SOFTWARE\/VIRUS\"] [hostname \"wp.kifarunix-demo.com\"] [uri \"\/wp-admin\/update.php\"] [unique_id \"161558337389.815242\"] [ref \"v1369,0\"]<\/strong>\n\n---i6mkrLhp---I--\n\n---i6mkrLhp---J--\n\n---i6mkrLhp---Z--<\/code><\/pre>\n\n\n\nUseful Links<\/h3>\n\n\n\n
Other Related Tutorials<\/h3>\n\n\n\n