path: root/lualib
diff options
authorVsevolod Stakhov <vsevolod@highsecure.ru>2020-02-01 11:33:48 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2020-02-01 11:33:48 +0000
commit3baee22475cd021154e72baf17727606f6c22f0b (patch)
tree7e1b5b5f9167f19d66b3612915b8f19a5af267f2 /lualib
parentd4b759871e18c863831070e97f76673044ec4ae1 (diff)
[Feature] Antivirus: Add avast support
Diffstat (limited to 'lualib')
1 files changed, 292 insertions, 0 deletions
diff --git a/lualib/lua_scanners/avast.lua b/lualib/lua_scanners/avast.lua
new file mode 100644
index 000000000..547d80ca1
--- /dev/null
+++ b/lualib/lua_scanners/avast.lua
@@ -0,0 +1,292 @@
+Copyright (c) 2020, Vsevolod Stakhov <vsevolod@highsecure.ru>
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+See the License for the specific language governing permissions and
+limitations under the License.
+-- @module avast
+-- This module contains avast av access functions
+local lua_util = require "lua_util"
+local rspamd_util = require "rspamd_util"
+local tcp = require "rspamd_tcp"
+local upstream_list = require "rspamd_upstream_list"
+local rspamd_regexp = require "rspamd_regexp"
+local rspamd_logger = require "rspamd_logger"
+local common = require "lua_scanners/common"
+local N = "avast"
+local default_message = '${SCANNER}: virus found: "${VIRUS}"'
+local function avast_config(opts)
+ local avast_conf = {
+ name = N,
+ scan_mime_parts = true,
+ scan_text_mime = false,
+ scan_image_mime = false,
+ timeout = 4.0, -- FIXME: this will break task_timeout!
+ log_clean = false,
+ detection_category = "virus",
+ retransmits = 1,
+ servers = nil, -- e.g. /var/run/avast/scan.sock
+ cache_expire = 3600, -- expire redis in one hour
+ message = default_message,
+ }
+ avast_conf = lua_util.override_defaults(avast_conf, opts)
+ if not avast_conf.prefix then
+ avast_conf.prefix = 'rs_' .. avast_conf.name .. '_'
+ end
+ if not avast_conf.log_prefix then
+ if avast_conf.name:lower() == avast_conf.type:lower() then
+ avast_conf.log_prefix = avast_conf.name
+ else
+ avast_conf.log_prefix = avast_conf.name .. ' (' .. avast_conf.type .. ')'
+ end
+ end
+ if not avast_conf['servers'] then
+ rspamd_logger.errx(rspamd_config, 'no servers/unix socket defined')
+ return nil
+ end
+ avast_conf['upstreams'] = upstream_list.create(rspamd_config,
+ avast_conf['servers'],
+ 0)
+ if avast_conf['upstreams'] then
+ lua_util.add_debug_alias('antivirus', avast_conf.name)
+ return avast_conf
+ end
+ rspamd_logger.errx(rspamd_config, 'cannot parse servers %s',
+ avast_conf['servers'])
+ return nil
+local function avast_check(task, content, digest, rule)
+ local function avast_check_uncached ()
+ local upstream = rule.upstreams:get_upstream_round_robin()
+ local addr = upstream:get_addr()
+ local retransmits = rule.retransmits
+ local CRLF = '\r\n'
+ -- Common tcp options
+ local tcp_opts = {
+ stop_pattern = CRLF,
+ host = addr:to_string(),
+ port = addr:get_port(),
+ timeout = rule['timeout'],
+ task = task
+ }
+ -- Regexps to process reply from avast
+ local clean_re = rspamd_regexp.create_cached(
+ [=[(?!\\)\t\[\+\]]=]
+ )
+ local virus_re = rspamd_regexp.create_cached(
+ [[(?!\\)\t\[L\]\d\.\d\t\d\s(.*)]]
+ )
+ local error_re = rspamd_regexp.create_cached(
+ [[(?!\\)\t\[E\]\d+\.0\tError\s\d+\s(.*)]]
+ )
+ -- Used to make a dialog
+ local tcp_conn
+ -- Save content in file as avast can work with files only
+ local fname = string.format('%s/%s.avtmp',
+ rule.tmpdir, rspamd_util.random_hex(32))
+ local message_fd = rspamd_util.create_file(fname)
+ if not message_fd then
+ rspamd_logger.errx('cannot store file for avast scan: %s', fname)
+ return
+ end
+ if type(content) == 'string' then
+ -- Create rspamd_text
+ local rspamd_text = require "rspamd_text"
+ content = rspamd_text.fromstring(content)
+ end
+ content:save_in_file(message_fd)
+ -- Ensure file cleanup on task processed
+ task:get_mempool():add_destructor(function()
+ os.remove(fname)
+ rspamd_util.close_file(message_fd)
+ end)
+ -- Dialog stages closures
+ local avast_helo_cb
+ local avast_helo_done_cb
+ local avast_scan_cb
+ local avast_scan_done_cb
+ -- Utility closures
+ local function maybe_retransmit()
+ if retransmits > 0 then
+ retransmits = retransmits - 1
+ else
+ rspamd_logger.errx(task,
+ '%s [%s]: failed to scan, maximum retransmits exceed',
+ rule['symbol'], rule['type'])
+ common.yield_result(task, rule, 'failed to scan and retransmits exceed',
+ 0.0, 'fail')
+ return
+ end
+ upstream = rule.upstreams:get_upstream_round_robin()
+ addr = upstream:get_addr()
+ tcp_opts.callback = avast_helo_cb
+ tcp_conn = tcp.request(tcp_opts)
+ if not tcp_conn then
+ rspamd_logger.infox(task, 'cannot create connection to avast server: %s',
+ tostring(addr))
+ end
+ end
+ local function no_connection_error(err)
+ if err then
+ if tcp_conn then
+ tcp_conn:close()
+ end
+ rspamd_logger.infox(task, 'failed to write request to avast (%s): %s',
+ tostring(addr), err)
+ maybe_retransmit()
+ return false
+ end
+ return true
+ end
+ -- Define callbacks
+ avast_helo_cb = function (merr)
+ -- Called when we have established a connection but not read anything
+ if no_connection_error(merr) then
+ tcp_conn:add_read(avast_helo_done_cb, CRLF)
+ end
+ end
+ avast_helo_done_cb = function(merr, mdata)
+ if no_connection_error(merr) then
+ -- Check mdata to ensure that it starts with 220
+ if #mdata > 3 and tostring(mdata:span(1, 3)) == '220' then
+ tcp_conn:add_write(avast_scan_cb, string.format(
+ 'SCAN %s%s', fname, CRLF))
+ else
+ rspamd_logger.errx(task, 'Unhandled response: %s', mdata)
+ end
+ end
+ end
+ avast_scan_cb = function(merr)
+ -- Called when we have send request to avast and are waiting for reply
+ if no_connection_error(merr) then
+ tcp_conn:add_read(avast_scan_done_cb, CRLF)
+ end
+ end
+ avast_scan_done_cb = function(merr, mdata)
+ if no_connection_error(merr) then
+ if #mdata > 4 then
+ local beg = tostring(mdata:span(1, 4))
+ if beg == '210' then
+ -- Ignore 210, fire another read
+ tcp_conn:add_read(avast_scan_done_cb, CRLF)
+ elseif beg == '200' then
+ -- Final line
+ upstream:ok()
+ tcp_conn:close()
+ else
+ -- Check line using regular expressions
+ local cached
+ local ret = clean_re:search(mdata, false, true)
+ if ret then
+ cached = 'OK'
+ if rule.log_clean then
+ rspamd_logger.infox(task,
+ '%s [%s]: message or mime_part is clean',
+ rule.symbol, rule.type)
+ end
+ end
+ if not cached then
+ ret = virus_re:search(mdata, false, true)
+ if ret then
+ local vname = ret[1][2]
+ if vname then
+ vname = vname:gsub('\\ ', ' '):gsub('\\\\', '\\')
+ common.yield_result(task, rule, vname)
+ cached = vname
+ end
+ end
+ end
+ if not cached then
+ ret = error_re:search(mdata, false, true)
+ if ret then
+ rspamd_logger.errx(task, '%s: error: %s', rule.log_prefix, ret[1][2])
+ common.yield_result(task, rule, 'error:' .. ret[1][2],
+ 0.0, 'fail')
+ end
+ end
+ if cached then
+ common.save_cache(task, digest, rule, cached)
+ else
+ -- Unexpected reply
+ rspamd_logger.errx(task, '%s: unexpected reply: %s', rule.log_prefix, mdata)
+ end
+ -- Read more
+ tcp_conn:add_read(avast_scan_done_cb, CRLF)
+ end
+ end
+ end
+ end
+ -- Send the real request
+ maybe_retransmit()
+ end
+ if common.condition_check_and_continue(task, content, rule, digest, avast_check_uncached) then
+ return
+ else
+ avast_check_uncached()
+ end
+return {
+ type = 'antivirus',
+ description = 'Avast antivirus',
+ configure = avast_config,
+ check = avast_check,
+ name = N