mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21071 Commits
30 Branches
Tree: 7769774962
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7769774962'
${ noResults }
rspamd/src/plugins/lua/antivirus.lua

antivirus.lua 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]] --

  16. 

  17. local rspamd_logger = require "rspamd_logger"

  18. local lua_util = require "lua_util"

  19. local rspamd_util = require "rspamd_util"

  20. local lua_redis = require "lua_redis"

  21. local fun = require "fun"

  22. local lua_antivirus = require("lua_scanners").filter('antivirus')

  23. local common = require "lua_scanners/common"

  24. local redis_params

  25. 

  26. local N = "antivirus"

  27. 

  28. if confighelp then

  29.   rspamd_config:add_example(nil, 'antivirus',

  30.       "Check messages for viruses",

  31.       [[

  32.   antivirus {

  33.     # multiple scanners could be checked, for each we create a configuration block with an arbitrary name

  34.     clamav {

  35.       # If set force this action if any virus is found (default unset: no action is forced)

  36.       # action = "reject";

  37.       # If set, then rejection message is set to this value (mention single quotes)

  38.       # message = '${SCANNER}: virus found: "${VIRUS}"';

  39.       # Scan mime_parts separately - otherwise the complete mail will be transferred to AV Scanner

  40.       #scan_mime_parts = true;

  41.       # Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity)

  42.       #scan_text_mime = false;

  43.       #scan_image_mime = false;

  44.       # If `max_size` is set, messages > n bytes in size are not scanned

  45.       max_size = 20000000;

  46.       # symbol to add (add it to metric if you want non-zero weight)

  47.       symbol = "CLAM_VIRUS";

  48.       # type of scanner: "clamav", "fprot", "sophos" or "savapi"

  49.       type = "clamav";

  50.       # For "savapi" you must also specify the following variable

  51.       product_id = 12345;

  52.       # You can enable logging for clean messages

  53.       log_clean = true;

  54.       # servers to query (if port is unspecified, scanner-specific default is used)

  55.       # can be specified multiple times to pool servers

  56.       # can be set to a path to a unix socket

  57.       # Enable this in local.d/antivirus.conf

  58.       servers = "127.0.0.1:3310";

  59.       # if `patterns` is specified virus name will be matched against provided regexes and the related

  60.       # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.

  61.       patterns {

  62.         # symbol_name = "pattern";

  63.         JUST_EICAR = "^Eicar-Test-Signature$";

  64.       }

  65.       # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.

  66.       whitelist = "/etc/rspamd/antivirus.wl";

  67.       # Replace content that exactly matches the following string to the EICAR pattern

  68.       # Useful for E2E testing when another party removes/blocks EICAR attachments

  69.       #eicar_fake_pattern = 'testpatterneicar';

  70.     }

  71.   }

  72.   ]])

  73.   return

  74. end

  75. 

  76. -- Encode as base32 in the source to avoid crappy stuff

  77. local eicar_pattern = rspamd_util.decode_base32(

  78.     [[akp6woykfbonrepmwbzyfpbmibpone3mj3pgwbffzj9e1nfjdkorisckwkohrnfe1nt41y3jwk1cirjki4w4nkieuni4ndfjcktnn1yjmb1wn]]

  79. )

  80. 

  81. local function add_antivirus_rule(sym, opts)

  82.   if not opts.type then

  83.     rspamd_logger.errx(rspamd_config, 'unknown type for AV rule %s', sym)

  84.     return nil

  85.   end

  86. 

  87.   if not opts.symbol then

  88.     opts.symbol = sym:upper()

  89.   end

  90.   local cfg = lua_antivirus[opts.type]

  91. 

  92.   if not cfg then

  93.     rspamd_logger.errx(rspamd_config, 'unknown antivirus type: %s',

  94.         opts.type)

  95.     return nil

  96.   end

  97. 

  98.   if not opts.symbol_fail then

  99.     opts.symbol_fail = opts.symbol .. '_FAIL'

  100.   end

  101.   if not opts.symbol_encrypted then

  102.     opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'

  103.   end

  104.   if not opts.symbol_macro then

  105.     opts.symbol_macro = opts.symbol .. '_MACRO'

  106.   end

  107. 

  108.   -- WORKAROUND for deprecated attachments_only

  109.   if opts.attachments_only ~= nil then

  110.     opts.scan_mime_parts = opts.attachments_only

  111.     rspamd_logger.warnx(rspamd_config, '%s [%s]: Using attachments_only is deprecated. ' ..

  112.         'Please use scan_mime_parts = %s instead', opts.symbol, opts.type, opts.attachments_only)

  113.   end

  114.   -- WORKAROUND for deprecated attachments_only

  115. 

  116.   local rule = cfg.configure(opts)

  117.   if not rule then

  118.     return nil

  119.   end

  120. 

  121.   rule.type = opts.type

  122.   rule.symbol_fail = opts.symbol_fail

  123.   rule.symbol_encrypted = opts.symbol_encrypted

  124.   rule.redis_params = redis_params

  125. 

  126.   if not rule then

  127.     rspamd_logger.errx(rspamd_config, 'cannot configure %s for %s',

  128.         opts.type, opts.symbol)

  129.     return nil

  130.   end

  131. 

  132.   rule.patterns = common.create_regex_table(opts.patterns or {})

  133.   rule.patterns_fail = common.create_regex_table(opts.patterns_fail or {})

  134. 

  135.   lua_redis.register_prefix(rule.prefix .. '_*', N,

  136.       string.format('Antivirus cache for rule "%s"',

  137.           rule.type), {

  138.         type = 'string',

  139.       })

  140. 

  141.   -- if any mime_part filter defined, do not scan all attachments

  142.   if opts.mime_parts_filter_regex ~= nil

  143.       or opts.mime_parts_filter_ext ~= nil then

  144.     rule.scan_all_mime_parts = false

  145.   else

  146.     rule.scan_all_mime_parts = true

  147.   end

  148. 

  149.   rule.patterns = common.create_regex_table(opts.patterns or {})

  150.   rule.patterns_fail = common.create_regex_table(opts.patterns_fail or {})

  151. 

  152.   rule.mime_parts_filter_regex = common.create_regex_table(opts.mime_parts_filter_regex or {})

  153. 

  154.   rule.mime_parts_filter_ext = common.create_regex_table(opts.mime_parts_filter_ext or {})

  155. 

  156.   if opts.whitelist then

  157.     rule.whitelist = rspamd_config:add_hash_map(opts.whitelist)

  158.   end

  159. 

  160.   return function(task)

  161.     if rule.scan_mime_parts then

  162. 

  163.       fun.each(function(p)

  164.         local content = p:get_content()

  165.         local clen = #content

  166.         if content and clen > 0 then

  167.           if opts.eicar_fake_pattern then

  168.             if type(opts.eicar_fake_pattern) == 'string' then

  169.               -- Convert it to Rspamd text

  170.               local rspamd_text = require "rspamd_text"

  171.               opts.eicar_fake_pattern = rspamd_text.fromstring(opts.eicar_fake_pattern)

  172.             end

  173. 

  174.             if clen == #opts.eicar_fake_pattern and content == opts.eicar_fake_pattern then

  175.               rspamd_logger.infox(task, 'found eicar fake replacement part in the part (filename="%s")',

  176.                   p:get_filename())

  177.               content = eicar_pattern

  178.             end

  179.           end

  180.           cfg.check(task, content, p:get_digest(), rule, p)

  181.         end

  182.       end, common.check_parts_match(task, rule))

  183. 

  184.     else

  185.       cfg.check(task, task:get_content(), task:get_digest(), rule)

  186.     end

  187.   end

  188. end

  189. 

  190. -- Registration

  191. local opts = rspamd_config:get_all_opt(N)

  192. if opts and type(opts) == 'table' then

  193.   redis_params = lua_redis.parse_redis_server(N)

  194.   local has_valid = false

  195.   for k, m in pairs(opts) do

  196.     if type(m) == 'table' then

  197.       if not m.type then

  198.         m.type = k

  199.       end

  200.       if not m.name then

  201.         m.name = k

  202.       end

  203.       local cb = add_antivirus_rule(k, m)

  204. 

  205.       if not cb then

  206.         rspamd_logger.errx(rspamd_config, 'cannot add rule: "' .. k .. '"')

  207.         lua_util.config_utils.push_config_error(N, 'cannot add AV rule: "' .. k .. '"')

  208.       else

  209.         rspamd_logger.infox(rspamd_config, 'added antivirus engine %s -> %s', k, m.symbol)

  210.         local t = {

  211.           name = m.symbol,

  212.           callback = cb,

  213.           score = 0.0,

  214.           group = N

  215.         }

  216. 

  217.         if m.symbol_type == 'postfilter' then

  218.           t.type = 'postfilter'

  219.           t.priority = lua_util.symbols_priorities.medium

  220.         else

  221.           t.type = 'normal'

  222.         end

  223. 

  224.         t.augmentations = {}

  225. 

  226.         if type(m.timeout) == 'number' then

  227.           -- Here, we ignore possible DNS timeout and timeout from multiple retries

  228.           -- as these situations are not usual nor likely for the antivirus module

  229.           table.insert(t.augmentations, string.format("timeout=%f", m.timeout))

  230.         end

  231. 

  232.         local id = rspamd_config:register_symbol(t)

  233. 

  234.         rspamd_config:register_symbol({

  235.           type = 'virtual',

  236.           name = m['symbol_fail'],

  237.           parent = id,

  238.           score = 0.0,

  239.           group = N

  240.         })

  241.         rspamd_config:register_symbol({

  242.           type = 'virtual',

  243.           name = m['symbol_encrypted'],

  244.           parent = id,

  245.           score = 0.0,

  246.           group = N

  247.         })

  248.         rspamd_config:register_symbol({

  249.           type = 'virtual',

  250.           name = m['symbol_macro'],

  251.           parent = id,

  252.           score = 0.0,

  253.           group = N

  254.         })

  255.         has_valid = true

  256.         if type(m['patterns']) == 'table' then

  257.           if m['patterns'][1] then

  258.             for _, p in ipairs(m['patterns']) do

  259.               if type(p) == 'table' then

  260.                 for sym in pairs(p) do

  261.                   rspamd_logger.debugm(N, rspamd_config, 'registering: %1', {

  262.                     type = 'virtual',

  263.                     name = sym,

  264.                     parent = m['symbol'],

  265.                     parent_id = id,

  266.                     group = N

  267.                   })

  268.                   rspamd_config:register_symbol({

  269.                     type = 'virtual',

  270.                     name = sym,

  271.                     parent = id,

  272.                     score = 0.0,

  273.                     group = N

  274.                   })

  275.                 end

  276.               end

  277.             end

  278.           else

  279.             for sym in pairs(m['patterns']) do

  280.               rspamd_config:register_symbol({

  281.                 type = 'virtual',

  282.                 name = sym,

  283.                 parent = id,

  284.                 score = 0.0,

  285.                 group = N

  286.               })

  287.             end

  288.           end

  289.         end

  290.         if type(m['patterns_fail']) == 'table' then

  291.           if m['patterns_fail'][1] then

  292.             for _, p in ipairs(m['patterns_fail']) do

  293.               if type(p) == 'table' then

  294.                 for sym in pairs(p) do

  295.                   rspamd_logger.debugm(N, rspamd_config, 'registering: %1', {

  296.                     type = 'virtual',

  297.                     name = sym,

  298.                     parent = m['symbol'],

  299.                     parent_id = id,

  300.                     group = N

  301.                   })

  302.                   rspamd_config:register_symbol({

  303.                     type = 'virtual',

  304.                     name = sym,

  305.                     parent = id,

  306.                     score = 0.0,

  307.                     group = N

  308.                   })

  309.                 end

  310.               end

  311.             end

  312.           else

  313.             for sym in pairs(m['patterns_fail']) do

  314.               rspamd_config:register_symbol({

  315.                 type = 'virtual',

  316.                 name = sym,

  317.                 parent = id,

  318.                 score = 0.0,

  319.                 group = N

  320.               })

  321.             end

  322.           end

  323.         end

  324.         if m['score'] then

  325.           -- Register metric symbol

  326.           local description = 'antivirus symbol'

  327.           local group = N

  328.           if m['description'] then

  329.             description = m['description']

  330.           end

  331.           if m['group'] then

  332.             group = m['group']

  333.           end

  334.           rspamd_config:set_metric_symbol({

  335.             name = m['symbol'],

  336.             score = m['score'],

  337.             description = description,

  338.             group = group or 'antivirus'

  339.           })

  340.         end

  341.       end

  342.     end

  343.   end

  344. 

  345.   if not has_valid then

  346.     lua_util.disable_module(N, 'config')

  347.   end

  348. end