commit 36bc47a: [Minor] lua_scanners - icap - add request / http header support (McAfee Web Gateway support)

Carsten Rosenberg c.rosenberg at heinlein-support.de
Thu Nov 4 20:28:04 UTC 2021


Author: Carsten Rosenberg
Date: 2021-11-01 17:38:23 +0100
URL: https://github.com/rspamd/rspamd/commit/36bc47a45116d7abac3a2272af25965f69b89149

[Minor] lua_scanners - icap - add request / http header support (McAfee Web Gateway support)

---
 lualib/lua_scanners/icap.lua | 208 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 176 insertions(+), 32 deletions(-)

diff --git a/lualib/lua_scanners/icap.lua b/lualib/lua_scanners/icap.lua
index 86def8edd..eb1b3d611 100644
--- a/lualib/lua_scanners/icap.lua
+++ b/lualib/lua_scanners/icap.lua
@@ -15,17 +15,56 @@ See the License for the specific language governing permissions and
 limitations under the License.
 ]]--
 
---[[[
--- @module icap
--- This module contains icap access functions.
--- Currently tested with
---  - Symantec
---  - Sophos Savdi
---  - ClamAV/c-icap
---  - Kaspersky Web Traffic Security
---  - Trend Micro IWSVA
---  - F-Secure Internet Gatekeeper Strings
---]]
+--[[
+ at module icap
+This module contains icap access functions.
+Currently tested with
+ - Symantec (Rspam <3.2)
+ - Sophos Savdi
+ - ClamAV/c-icap
+ - Kaspersky Web Traffic Security
+ - Trend Micro IWSVA
+ - F-Secure Internet Gatekeeper
+ - McAfee Web Gateway
+
+ at TODO
+ - Preview / Continue
+ - Reqmod URL's
+ - Content-Type / Filename
+]] --
+
+--[[
+Configuration Notes:
+
+C-ICAP Squidclamav
+  scheme = "squidclamav";
+
+ESET Gateway Security / Antivirus for Linux example:
+  scheme = "scan";
+
+F-Secure Internet Gatekeeper example:
+  scheme = "respmod";
+  x_client_header = true;
+  x_rcpt_header = true;
+  x_from_header = true;
+
+Kaspersky Web Traffic Security example:
+  scheme = "av/respmod";
+
+McAfee Web Gateway 11 (Headers must be activated with personal extra Rules)
+  scheme = "respmod";
+  x_client_header = true;
+
+Sophos SAVDI example:
+  scheme as configured in savdi.conf
+
+Symantec example:
+  scheme = "avscan";
+
+Trend Micro IWSVA example:
+  scheme = "avscan";
+]] --
+
 
 local lua_util = require "lua_util"
 local tcp = require "rspamd_tcp"
@@ -58,6 +97,12 @@ local function icap_config(opts)
     action = false,
     dynamic_scan = false,
     user_agent = "Rspamd",
+    x_client_header = false,
+    x_rcpt_header = false,
+    x_from_header = false,
+    req_headers_enabled = true,
+    req_fake_url = "http://127.0.0.1/mail",
+    http_headers_enabled = true,
   }
 
   icap_conf = lua_util.override_defaults(icap_conf, opts)
@@ -103,7 +148,8 @@ local function icap_check(task, content, digest, rule, maybe_part)
     local upstream = rule.upstreams:get_upstream_round_robin()
     local addr = upstream:get_addr()
     local retransmits = rule.retransmits
-    local respond_headers = {}
+    local http_headers = {}
+    local req_headers = {}
 
     -- Build extended User Agent
     if rule.user_agent == "extended" then
@@ -116,7 +162,7 @@ local function icap_check(task, content, digest, rule, maybe_part)
 
     -- Build the icap queries
     local options_request = {
-      string.format("OPTIONS icap://%s/%s ICAP/1.0\r\n", addr:to_string(true), rule.scheme),
+      string.format("OPTIONS icap://%s/%s ICAP/1.0\r\n", addr:to_string(), rule.scheme),
       string.format('Host: %s\r\n', addr:to_string()),
       string.format("User-Agent: %s\r\n", rule.user_agent),
       "Encapsulated: null-body=0\r\n\r\n",
@@ -125,7 +171,14 @@ local function icap_check(task, content, digest, rule, maybe_part)
       table.remove(options_request, 3)
     end
 
-    local size = string.format("%x", tonumber(#content))
+    local respond_headers = {
+        -- Add main RESPMOD header before any other
+        string.format('RESPMOD icap://%s/%s ICAP/1.0\r\n', addr:to_string(), rule.scheme),
+        string.format('Host: %s\r\n', addr:to_string()),
+    }
+
+    local size = tonumber(#content)
+    local chunked_size = string.format("%x", size)
 
     local function icap_callback(err, conn)
 
@@ -167,11 +220,76 @@ local function icap_check(task, content, digest, rule, maybe_part)
         end
       end
 
+      local function get_req_headers()
+
+        local req_hlen = 2
+        table.insert(req_headers, string.format('GET %s HTTP/1.0\r\n', rule.req_fake_url))
+        table.insert(req_headers, string.format('Date: %s\r\n', rspamd_util.time_to_string(rspamd_util.get_time())))
+        --table.insert(http_headers, string.format('Content-Type: %s\r\n', 'text/html'))
+        if rule.user_agent ~= "none" then 
+          table.insert(req_headers, string.format("User-Agent: %s\r\n", rule.user_agent))
+        end
+
+        for _, h in ipairs(req_headers) do
+          req_hlen = req_hlen + tonumber(#h)
+        end
+
+        return req_hlen, req_headers
+
+      end
+
+      local function get_http_headers()
+        local http_hlen = 2
+        table.insert(http_headers, 'HTTP/1.0 200 OK\r\n')
+        table.insert(http_headers, string.format('Date: %s\r\n', rspamd_util.time_to_string(rspamd_util.get_time())))
+        table.insert(http_headers, string.format('Server: %s\r\n', 'Apache/2.4'))
+        if rule.user_agent ~= "none" then 
+          table.insert(http_headers, string.format("User-Agent: %s\r\n", rule.user_agent))
+        end
+        --table.insert(http_headers, string.format('Content-Type: %s\r\n', 'text/html'))
+        table.insert(http_headers, string.format('Content-Length: %s\r\n', size))
+
+        for _, h in ipairs(http_headers) do
+          http_hlen = http_hlen + tonumber(#h)
+        end
+
+        return http_hlen, http_headers
+
+      end
+
       local function get_respond_query()
-        table.insert(respond_headers, 1, string.format(
-            'RESPMOD icap://%s:%s/%s ICAP/1.0\r\n', addr:to_string(), addr:get_port(), rule.scheme))
+        local req_hlen = 0
+        local resp_req_headers
+        local http_hlen = 0
+        local resp_http_headers
+
+        -- Append all extra headers
+        if rule.user_agent ~= "none" then 
+          table.insert(respond_headers, string.format("User-Agent: %s\r\n", rule.user_agent))
+        end
+
+        if rule.req_headers_enabled then
+          req_hlen, resp_req_headers = get_req_headers()
+        end
+        if rule.http_headers_enabled then
+          http_hlen, resp_http_headers = get_http_headers()
+        end
+
+        if rule.req_headers_enabled and rule.http_headers_enabled then
+          local res_body_hlen = req_hlen + http_hlen
+          table.insert(respond_headers, string.format('Encapsulated: req-hdr=0, res-hdr=%s, res-body=%s\r\n', req_hlen, res_body_hlen))
+        elseif rule.http_headers_enabled then
+          table.insert(respond_headers, string.format('Encapsulated: res-hdr=0, res-body=%s\r\n', http_hlen))
+        else
+          table.insert(respond_headers, 'Encapsulated: res-body=0\r\n')
+        end
+
+        table.insert(respond_headers, '\r\n')
+        for _,h in ipairs(resp_req_headers) do table.insert(respond_headers, h) end
+        table.insert(respond_headers, '\r\n')
+        for _,h in ipairs(resp_http_headers) do table.insert(respond_headers, h) end
         table.insert(respond_headers, '\r\n')
-        table.insert(respond_headers, size .. '\r\n')
+        table.insert(respond_headers, chunked_size .. '\r\n')
         table.insert(respond_headers, content)
         table.insert(respond_headers, '\r\n0\r\n\r\n')
         return respond_headers
@@ -187,12 +305,12 @@ local function icap_check(task, content, digest, rule, maybe_part)
         local icap_headers = {}
         for s in result:gmatch("[^\r\n]+") do
           if string.find(s, '^ICAP') then
-            icap_headers['icap'] = s
+            icap_headers['icap'] = tostring(s)
           end
           if string.find(s, '[%a%d-+]-:') then
             local _,_,key,value = tostring(s):find("([%a%d-+]-):%s?(.+)")
             if key ~= nil then
-              icap_headers[key] = value
+              icap_headers[key] = tostring(value)
             end
           end
         end
@@ -239,8 +357,21 @@ local function icap_check(task, content, digest, rule, maybe_part)
           X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA;
           X-Virus-ID: Trojaner
           X-Response-Info: Blocked
+
+        McAfee Web Gateway 11 (Headers must be activated with personal extra Rules)
+          X-Virus-ID: EICAR test file
+          X-Media-Type: text/plain
+          X-Block-Result: 80
+          X-Block-Reason: Malware found
+          X-Block-Reason: Archive not supported
+          X-Block-Reason: Media Type (Block List)
+
+        C-ICAP Squidclamav
+          X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL;
+          X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL
         ]] --
 
+        -- Generic ICAP Headers
         if icap_headers['X-Infection-Found'] then
           local _,_,icap_type,_,icap_threat =
             icap_headers['X-Infection-Found']:find("Type=(.-); Resolution=(.-); Threat=(.-);$")
@@ -270,6 +401,7 @@ local function icap_check(task, content, digest, rule, maybe_part)
           else
             table.insert(threat_string, icap_headers['X-Virus-ID'])
           end
+        -- FSecure X-Headers
         elseif icap_headers['X-FSecure-Scan-Result'] and icap_headers['X-FSecure-Scan-Result'] ~= "clean" then
 
           local infected_filename = ""
@@ -295,7 +427,11 @@ local function icap_check(task, content, digest, rule, maybe_part)
           else
             table.insert(threat_string, infection_name)
           end
+        -- McAfee Web Gateway manual extra headers
+        elseif icap_headers['X-MWG-Block-Reason'] and icap_headers['X-MWG-Block-Reason'] ~= "" then
+          table.insert(threat_string, icap_headers['X-MWG-Block-Reason'])
         end
+
         if #threat_string > 0 then
           common.yield_result(task, rule, threat_string, rule.default_score, nil, maybe_part)
           common.save_cache(task, digest, rule, threat_string, rule.default_score, maybe_part)
@@ -354,21 +490,29 @@ local function icap_check(task, content, digest, rule, maybe_part)
 
           if icap_headers.icap and string.find(icap_headers.icap, 'ICAP%/1%.. 2%d%d') then
             if icap_headers['Methods'] and string.find(icap_headers['Methods'], 'RESPMOD') then
-              if icap_headers['Allow'] and string.find(icap_headers['Allow'], '204') then
-                add_respond_header('Allow', '204')
-              end
-              if icap_headers['Service'] and string.find(icap_headers['Service'], 'IWSVA 6.5') then
-                add_respond_header('Encapsulated', 'res-hdr=0 res-body=0')
-              else
-                add_respond_header('Encapsulated', 'res-body=0')
-              end
-              if icap_headers['Server'] and string.find(icap_headers['Server'], 'F-Secure ICAP Server') then
-                local from = task:get_from('mime')
-                local rcpt_to = task:get_principal_recipient()
+              -- Preview is currently ununsed
+              --if icap_headers['Allow'] and string.find(icap_headers['Allow'], '204') then
+              --  add_respond_header('Allow', '204')
+              --end
+
+              if rule.x_client_header then
                 local client = task:get_from_ip()
                 if client then add_respond_header('X-Client-IP', client:to_string()) end
-                add_respond_header('X-Mail-From', from[1].addr)
-                add_respond_header('X-Rcpt-To', rcpt_to)
+              end
+
+              -- F-Secure extra headers
+              if icap_headers['Server'] and string.find(icap_headers['Server'], 'F-Secure ICAP Server') then
+
+                if rule.x_rcpt_header then
+                  local rcpt_to = task:get_principal_recipient()
+                  if rcpt_to then add_respond_header('X-Rcpt-To', rcpt_to) end
+                end
+
+                if rule.x_from_header then
+                  local mail_from = task:get_principal_recipient()
+                  if mail_from and mail_from[1] then add_respond_header('X-Rcpt-To', mail_from[1].addr) end
+                end
+
               end
 
               conn:add_write(icap_w_respond_cb, get_respond_query())


More information about the Commits mailing list