Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL.
my Apache is : r...@server [~]# httpd -v Server version: Apache/2.2.14 (Unix) Server built: Feb 21 2010 20:50:26 Cpanel::Easy::Apache v3.2.0 rev5009 r...@server [~]# and my box is : Linux 2.6.18-164.11.1.el5.centos.plus #1 SMP Wed Jan 20 18:49:35 EST 2010 x86_64 x86_64 x86_64 GNU/Linux mod_proxy installed as well # Steps that i did # 1- download the latest version . http://software.othello.ch/mod_clamav/ and extract it :) 2- ./configure --with-apxs=/usr/bin/apxs --with-apache=/usr/local/apache 3 - make 4 - make install ************************************************************************ make[1]: Entering directory `/root/download/mod_clamav-0.23' make all-am make[2]: Entering directory `/root/download/mod_clamav-0.23' make[2]: Leaving directory `/root/download/mod_clamav-0.23' /usr/bin/apxs -i -a -n 'clamav' .libs/mod_clamav.so /usr/local/apache/build/instdso.sh SH_LIBTOOL='/usr/local/apache/build/libtool' .libs/mod_clamav.so /usr/local/apache/modules /usr/local/apache/build/libtool --mode=install cp .libs/mod_clamav.so /usr/local/apache/modules/ cp .libs/mod_clamav.so /usr/local/apache/modules/mod_clamav.so Warning! dlname not found in /usr/local/apache/modules/mod_clamav.so. Assuming installing a .so rather than a libtool archive. chmod 755 /usr/local/apache/modules/mod_clamav.so [activating module `clamav' in /usr/local/apache/conf/httpd.conf] make[1]: Nothing to be done for `install-data-am'. make[1]: Leaving directory `/root/download/mod_clamav-0.23' ************************************************************************ 5 - now here i did not understand how can i make it work to scan the HTTP i did read the docs that said some thing about _____________________http://software.othello.ch/mod_clamav/ Configuration The distribution includes a sample configuration file *sample.conf*, which should get you started. ________________________ what i understand form the doc is to conf the vars , but where i have to put these vars , thy did not said any thing , so i think that may want me to put the conf in side the httpd.conf and that what i did m i put the following conf in my httpd.conf which is located : /usr/local/apache/conf/httpd.conf ------------------------------------------------ ClamavTmpdir /var/tmp/ ClamavDbdir /usr/share/clamav ClamavSafetypes image/jpg ClamavMode daemon ClamavSocket /var/clamd ClamavTrickleInterval 10 ClamavTrickleSize 1024 ClamavSizelimit 1000000 ClamavShm /var/log/clam/clamav.shm ClamavMutex /var/log/clam/clamav.lock ClamavAcceptDaemonproblem on ClamavExtendedLogging on LogFormat "%t %!304{clamav:status}n %{clamav:details}n %{clamav:virusname}n request=\"%r\", status=%>s, sent=%!304b, delay=%!304D" clamav_stats CustomLog logs/scan_log clamav_stats # make sure proxy data is filtered <Proxy *> SetOutputFilter CLAMAV </Proxy> # define the location for status information <Location /clamav> SetHandler clamav allow from all </Location> ClamavMessage "\ <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\ <html>\ <head>\ <title>%i found virus</title>\ </head>\ <body text=\"#000000\" bgcolor=\"#ffffff\">\ <basefont size=\"4\">\ <h1><center>%i found virus</center></h1>\ <p>The virus <b>%v</b> was found while downloading <i>%u</i>.\ The transfer has been aborted.</p>\ </basefont>\ </body>\ </html>\ " But after all of that , i can send a POST with a phpshell virus , what the wrong steps that i did and please correct me :) thank you for your patient :) On Sun, Feb 21, 2010 at 7:44 PM, G.W. Haywood <g...@jubileegroup.co.uk>wrote: > Hi there, > > On Sun, 21 Feb 2010 beshoo wrote: > > > Well i am using Apache 2 :) > > :) > > > BTW ModSecurity scan post data "I am not talking about file uploading" > , > > We heard you the first time. :) It doesn't matter whether you are > uploading files or not. All you have to do is send the stream of > bytes to clamd. The daemon doesn't care what the stream of bytes > represents, neither does it care what you intend to do with the bytes > after it has scanned them. It just swallows the bytes, scans them, > throws them all away, and tells you if it finds something unpalatable. > It's up to you to decide what to do then. > > > but how can i tell ModSecurity to scan the post with clam AV ! > > I have no idea, I've never used ModSecurity. My suggestion was that > you could probably achieve what you want to achieve with a few lines > in a CGI script. If you want to use an Apache module, why not ask on > an Apache list? > > -- > > 73, > Ged. > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
