mirrors
/
rspamd
espejo de https://github.com/vstakhov/rspamd.git
Seguir 1
Destacar 0
Fork 0
Código Incidencias 0 Lanzamientos 159 Wiki Actividad
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15767 Commits
28 Ramas
Árbol: 0315b0d8d2
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '0315b0d8d2'
${ noResults }
rspamd/lualib/lua_scanners/kaspersky_se.lua

kaspersky_se.lua 8.4KB
Original Blame Histórico

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280 
  1. --[[

  2. Copyright (c) 2019, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. --[[[

  18. -- @module kaspersky_se

  19. -- This module contains Kaspersky Scan Engine integration support

  20. -- https://www.kaspersky.com/scan-engine

  21. --]]

  22. 

  23. local lua_util = require "lua_util"

  24. local rspamd_util = require "rspamd_util"

  25. local http = require "rspamd_http"

  26. local upstream_list = require "rspamd_upstream_list"

  27. local rspamd_logger = require "rspamd_logger"

  28. local common = require "lua_scanners/common"

  29. 

  30. local N = 'kaspersky_se'

  31. 

  32. local function kaspersky_se_config(opts)

  33. 

  34.   local default_conf = {

  35.     name = N,

  36.     default_port = 9999,

  37.     use_https = false,

  38.     use_files = false,

  39.     timeout = 5.0,

  40.     log_clean = false,

  41.     tmpdir = '/tmp',

  42.     retransmits = 1,

  43.     cache_expire = 7200, -- expire redis in 2h

  44.     message = '${SCANNER}: spam message found: "${VIRUS}"',

  45.     detection_category = "virus",

  46.     default_score = 1,

  47.     action = false,

  48.     scan_mime_parts = true,

  49.     scan_text_mime = false,

  50.     scan_image_mime = false,

  51.   }

  52. 

  53.   default_conf = lua_util.override_defaults(default_conf, opts)

  54. 

  55.   if not default_conf.prefix then

  56.     default_conf.prefix = 'rs_' .. default_conf.name .. '_'

  57.   end

  58. 

  59.   if not default_conf.log_prefix then

  60.     if default_conf.name:lower() == default_conf.type:lower() then

  61.       default_conf.log_prefix = default_conf.name

  62.     else

  63.       default_conf.log_prefix = default_conf.name .. ' (' .. default_conf.type .. ')'

  64.     end

  65.   end

  66. 

  67.   if not default_conf.servers and default_conf.socket then

  68.     default_conf.servers = default_conf.socket

  69.   end

  70. 

  71.   if not default_conf.servers then

  72.     rspamd_logger.errx(rspamd_config, 'no servers defined')

  73. 

  74.     return nil

  75.   end

  76. 

  77.   default_conf.upstreams = upstream_list.create(rspamd_config,

  78.       default_conf.servers,

  79.       default_conf.default_port)

  80. 

  81.   if default_conf.upstreams then

  82.     lua_util.add_debug_alias('external_services', default_conf.name)

  83.     return default_conf

  84.   end

  85. 

  86.   rspamd_logger.errx(rspamd_config, 'cannot parse servers %s',

  87.       default_conf['servers'])

  88.   return nil

  89. end

  90. 

  91. local function kaspersky_se_check(task, content, digest, rule)

  92.   local function kaspersky_se_check_uncached()

  93.     local function make_url(addr)

  94.       local url

  95.       local suffix = '/scanmemory'

  96. 

  97.       if rule.use_files then

  98.         suffix = '/scanfile'

  99.       end

  100.       if rule.use_https then

  101.         url = string.format('https://%s:%d%s', tostring(addr),

  102.             addr:get_port(), suffix)

  103.       else

  104.         url = string.format('http://%s:%d%s', tostring(addr),

  105.             addr:get_port(), suffix)

  106.       end

  107. 

  108.       return url

  109.     end

  110. 

  111.     local upstream = rule.upstreams:get_upstream_round_robin()

  112.     local addr = upstream:get_addr()

  113.     local retransmits = rule.retransmits

  114. 

  115.     local url = make_url(addr)

  116.     local hdrs = {

  117.       ['X-KAV-ProtocolVersion'] = '1',

  118.       ['X-KAV-Timeout'] = tostring(rule.timeout * 1000),

  119.     }

  120. 

  121.     if task:has_from() then

  122.       hdrs['X-KAV-ObjectURL'] = string.format('[from:%s]', task:get_from()[1].addr)

  123.     end

  124. 

  125.     local req_body

  126. 

  127.     if rule.use_files then

  128.       local fname =  string.format('%s/%s.tmp',

  129.           rule.tmpdir, rspamd_util.random_hex(32))

  130.       local message_fd = rspamd_util.create_file(fname)

  131. 

  132.       if not message_fd then

  133.         rspamd_logger.errx('cannot store file for kaspersky_se scan: %s', fname)

  134.         return

  135.       end

  136. 

  137.       if type(content) == 'string' then

  138.         -- Create rspamd_text

  139.         local rspamd_text = require "rspamd_text"

  140.         content = rspamd_text.fromstring(content)

  141.       end

  142.       content:save_in_file(message_fd)

  143. 

  144.       -- Ensure cleanup

  145.       task:get_mempool():add_destructor(function()

  146.         os.remove(fname)

  147.         rspamd_util.close_file(message_fd)

  148.       end)

  149. 

  150.       req_body = fname

  151.     else

  152.       req_body = content

  153.     end

  154. 

  155.     local request_data = {

  156.       task = task,

  157.       url = url,

  158.       body = req_body,

  159.       headers = hdrs,

  160.       timeout = rule.timeout,

  161.     }

  162. 

  163.     local function kas_callback(http_err, code, body, headers)

  164. 

  165.       local function requery()

  166.         -- set current upstream to fail because an error occurred

  167.         upstream:fail()

  168. 

  169.         -- retry with another upstream until retransmits exceeds

  170.         if retransmits > 0 then

  171. 

  172.           retransmits = retransmits - 1

  173. 

  174.           lua_util.debugm(rule.name, task,

  175.               '%s: Request Error: %s - retries left: %s',

  176.               rule.log_prefix, http_err, retransmits)

  177. 

  178.           -- Select a different upstream!

  179.           upstream = rule.upstreams:get_upstream_round_robin()

  180.           addr = upstream:get_addr()

  181.           url = make_url(addr)

  182. 

  183.           lua_util.debugm(rule.name, task, '%s: retry IP: %s:%s',

  184.               rule.log_prefix, addr, addr:get_port())

  185.           request_data.url = url

  186. 

  187.           http.request(request_data)

  188.         else

  189.           rspamd_logger.errx(task, '%s: failed to scan, maximum retransmits '..

  190.               'exceed', rule.log_prefix)

  191.           task:insert_result(rule['symbol_fail'], 0.0, 'failed to scan and '..

  192.               'retransmits exceed')

  193.         end

  194.       end

  195. 

  196.       if http_err then

  197.         requery()

  198.       else

  199.         -- Parse the response

  200.         if upstream then upstream:ok() end

  201.         if code ~= 200 then

  202.           rspamd_logger.errx(task, 'invalid HTTP code: %s, body: %s, headers: %s', code, body, headers)

  203.           task:insert_result(rule.symbol_fail, 1.0, 'Bad HTTP code: ' .. code)

  204.           return

  205.         end

  206.         local data = string.gsub(tostring(body), '[\r\n%s]$', '')

  207.         local cached

  208.         lua_util.debugm(rule.name, task, '%s: got reply data: "%s"',

  209.             rule.log_prefix, data)

  210. 

  211.         if data:find('^CLEAN') then

  212.           -- Handle CLEAN replies

  213.           if data == 'CLEAN' then

  214.             cached = 'OK'

  215.             if rule['log_clean'] then

  216.               rspamd_logger.infox(task, '%s: message or mime_part is clean',

  217.                   rule.log_prefix)

  218.             else

  219.               lua_util.debugm(rule.name, task, '%s: message or mime_part is clean',

  220.                   rule.log_prefix)

  221.             end

  222.           elseif data == 'CLEAN AND CONTAINS OFFICE MACRO' then

  223.             common.yield_result(task, rule, 'File contains macros', 0.0, 'encrypted')

  224.             cached = 'MACRO'

  225.           else

  226.             rspamd_logger.errx(task, '%s: unhandled clean response: %s', rule.log_prefix, data)

  227.             common.yield_result(task, rule, 'unhandled response:' .. data, 0.0, 'fail')

  228.           end

  229.         elseif data == 'SERVER_ERROR' then

  230.           rspamd_logger.errx(task, '%s: error: %s', rule.log_prefix, data)

  231.           common.yield_result(task, rule, 'error:' .. data,

  232.               0.0, 'fail')

  233.         elseif string.match(data, 'DETECT (.+)') then

  234.           local vname = string.match(data, 'DETECT (.+)')

  235.           common.yield_result(task, rule, vname)

  236.           cached = vname

  237.         elseif string.match(data, 'NON_SCANNED %((.+)%)') then

  238.           local why = string.match(data, 'NON_SCANNED %((.+)%)')

  239. 

  240.           if why == 'PASSWORD PROTECTED' then

  241.             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)

  242.             common.yield_result(task, rule, 'File is encrypted: '.. why,

  243.                 0.0, 'encrypted')

  244.             cached = 'ENCRYPTED'

  245.           else

  246.             common.yield_result(task, rule, 'unhandled response:' .. data, 0.0, 'fail')

  247.           end

  248.         else

  249.           rspamd_logger.errx(task, '%s: unhandled response: %s', rule.log_prefix, data)

  250.           common.yield_result(task, rule, 'unhandled response:' .. data, 0.0, 'fail')

  251.         end

  252. 

  253.         if cached then

  254.           common.save_cache(task, digest, rule, cached)

  255.         end

  256. 

  257.       end

  258.     end

  259. 

  260.     request_data.callback = kas_callback

  261.     http.request(request_data)

  262.   end

  263. 

  264.   if common.condition_check_and_continue(task, content, rule, digest,

  265.       kaspersky_se_check_uncached) then

  266.     return

  267.   else

  268. 

  269.     kaspersky_se_check_uncached()

  270.   end

  271. 

  272. end

  273. 

  274. return {

  275.   type = 'antivirus',

  276.   description = 'Kaspersky Scan Engine interface',

  277.   configure = kaspersky_se_config,

  278.   check = kaspersky_se_check,

  279.   name = N

  280. }