Squid+Squidclamav+Clamav

**mtec** · 19-07-2007, 11:07

Pessoal aparentemente esta combinação está funcionando. Aparentemente, pq nos logs do squidclamav, quando efetuo um download de extensões listadas no regexi, como por exemplo:

regexi ^.*\.exe$

é informado o seguinte erro:

regex matched: http://www.trellian.com/bin/mwolf105pt.exe
Thu Jul 19 12:26:20 2007 [2063] DEBUG Getting header for url http://www.trellian.com/bin/mwolf105pt.exe
Thu Jul 19 12:26:20 2007 [2063] DEBUG File size is 1655051.00
Thu Jul 19 12:26:20 2007 [2063] DEBUG Sending STREAM to clamd.
Thu Jul 19 12:26:20 2007 [2063] DEBUG Received port 2036 from clamd.
Thu Jul 19 12:26:20 2007 [2063] DEBUG Trying to connect to clamd [port: 2036].
Thu Jul 19 12:27:10 2007 [2049] ERROR fail downloading url http://www3.trellian.com/bin/mwolf105pt.exe
Thu Jul 19 12:27:10 2007 [2049] ERROR CURLOPT_ERRORBUFFER: Operation timed out with 0 out of -1 bytes received
Thu Jul 19 12:27:10 2007 [2049] DEBUG Connection to clamd on port: 1396 closed.

**mtec** · 19-07-2007, 14:06

E aí pessoal... qq ajuda é bem vinda (rs rs)

Grande abraço a todos!

mtec

**mtec** · 20-07-2007, 08:36

Pessoal continuo com o problema...

Segue novamente logs de novos testes:

File size is 121.00
Fri Jul 20 08:30:08 2007 [10705] DEBUG Sending STREAM to clamd.
Fri Jul 20 08:30:08 2007 [10705] DEBUG Received port 1393 from clamd.
Fri Jul 20 08:30:08 2007 [10705] DEBUG Trying to connect to clamd [port: 1393].
Fri Jul 20 08:30:08 2007 [10705] ERROR fail downloading url http://download.softpedia.com/dl/cdb..._1_2_setup.exe
Fri Jul 20 08:30:08 2007 [10705] ERROR CURLOPT_ERRORBUFFER: couldn't connect to host
Fri Jul 20 08:30:08 2007 [10705] DEBUG Connection to clamd on port: 1393 closed.

Alguem já teve experiência parecida??

Att,

mtec

chapahall · 06-08-2007, 22:08

Seu firewall está com politica restritiva, altere a politica para ACCEPT e faça um teste, me parece que o squidclamav não está conseguindo conectar com o clamav.

estou com um problema parecido, já fiz funcionar via arquivo sock, com politica ACCEPT, tb fiz funcionar via lo porta 3310, mas tb com politica de firewall ACCEPT.

o squidclamav usa uma porta qualquer para estabelecer conexão com o clamd e ai qdo ponho politica drop ele para.

Fri Jul 6 21:48:59 2007 [5601] DEBUG regex matched: http://www.mcmilk.de/projects/squidw.../eicarcom2.zip
Fri Jul 6 21:48:59 2007 [5601] DEBUG Getting header for url http://www.mcmilk.de/projects/squidw.../eicarcom2.zip
Fri Jul 6 21:48:59 2007 [5601] DEBUG File size is 308.00
Fri Jul 6 21:48:59 2007 [5601] DEBUG Sending STREAM to clamd.
Fri Jul 6 21:48:59 2007 [5601] DEBUG Received port 1523 from clamd.
Fri Jul 6 21:48:59 2007 [5601] DEBUG Trying to connect to clamd [port: 1523].
Fri Jul 6 21:52:08 2007 [5601] ERROR Can't connect to clamd [port: 1523].
Fri Jul 6 21:54:43 2007 [5601] DEBUG Request:http://www.mcmilk.de/projects/squidw.../eicarcom2.zip 192.168.2.7/- - GET

Segue as configurações para

squidclamav.conf

proxy http://127.0.0.1:3128
logfile /var/log/squidclamav.log
redirect http://127.0.0.1/cgi-bin/clwarn.cgi
# squidguard /usr/local/squidGuard/bin/squidGuard
debug 1
force 1
stat 1
#clamd_local /var/run/clamav/clamd.ctl
clamd_ip 127.0.0.1
clamd_port 3310 (agora estou usando pelo ip e porta, caso
timeout 60 queira comente estas e descomente clamd_local)

regexi ^.*\.exe$
regexi ^.*\.com$
regexi ^.*\.zip$
regexi ^.*\.bz2$

abort ^.*\/cgi-bin\/.*$
abort ^.*\..gz$
abort ^.*\..pdf$
abort ^.*\..html$
abort ^.*\..htm$
abort ^.*\..css$
abort ^.*\..xml$
abort ^.*\..xsl$
abort ^.*\..js$
abort ^.*\..ico$
aborti ^.*\..gif$
aborti ^.*\..png$
aborti ^.*\..jpg$
aborti ^.*\..tif$
aborti ^.*\..swf$

no clamd.conf

#LocalSocket /var/run/clamav/clamd.ctl
TCPSocket 3310 (tem que utilizar a mesma conf utilizada em
TCPAddr 127.0.0.1 squidclamav.conf)
FixStaleSocket true
User clamav
segue o log dele funcionando:

Fri Jul 6 21:54:43 2007 [5601] DEBUG regex matched: http://www.mcmilk.de/projects/squidw.../eicarcom2.zip
Fri Jul 6 21:54:43 2007 [5601] DEBUG Getting header for url http://www.mcmilk.de/projects/squidw.../eicarcom2.zip
Fri Jul 6 21:54:43 2007 [5601] DEBUG File size is 308.00
Fri Jul 6 21:54:43 2007 [5601] DEBUG Sending STREAM to clamd.
Fri Jul 6 21:54:43 2007 [5601] DEBUG Received port 1936 from clamd.
Fri Jul 6 21:54:43 2007 [5601] DEBUG Trying to connect to clamd [port: 1936].
Fri Jul 6 21:54:49 2007 [5601] DEBUG Scanning data received against clamd stream
Fri Jul 6 21:54:49 2007 [5601] DEBUG Sending data to clamd
Fri Jul 6 21:54:49 2007 [5601] DEBUG Write 308 bytes on 308 to socket
Fri Jul 6 21:54:49 2007 [5601] DEBUG Connection to clamd on port: 1936 closed.
Fri Jul 6 21:54:49 2007 [5601] DEBUG Reading clamd scan result.
Fri Jul 6 21:54:49 2007 [5601] DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND
Fri Jul 6 21:54:49 2007 [5601] LOG Redirecting URL to: http://127.0.0.1/cgi-bin/clwarn.cgi?...&virus=stream: Eicar-Test-Signature FOUND

Fri Jul 6 21:54:49 2007 [5601] DEBUG End reading clamd scan result.
Fri Jul 6 21:54:49 2007 [5601] STAT Virus Scanning process time 1183769689.277 second(s)
Fri Jul 6 21:54:49 2007 [5601] DEBUG Virus found send redirection to Squid.
Fri Jul 6 21:54:49 2007 [5601] STAT Total process time 1183769689.277 second(s)

Espero ter ajudado.

att,
Marcelo B. De zan

Squid+Squidclamav+Clamav

Ferramentas de Tópicos

Squid+Squidclamav+Clamav

re: