zcv.cfg
zcv.cfg — zcv(8) configuration file format
Structure
zcv.cfg
uses an XML-like format to describe various configuration
settings. The exact structure is
configuration/section/<setting>
, where the "name"
attribute of the configuration block identifies the ZCV subsystem described by the nested
tags.
The main configuration blocks of the file are the following:
- zcv
Global options of zcv.
- scanpaths
Definitions and settings of the scanpaths.
- nod32, html, etc.
Definitions and instance-specific settings of the modules.
- module-options
Global settings of the modules that apply to every instance of the module.
The example below sets the global options used by ZCV, broken down to three different
sections: log for log related settings, router for
setting the path to the router.cfg
file and misc for
miscellaneous parameters.
<configuration name="zcv">
<section name="log">
<loglevel>3</loglevel>
<use_syslog>true</use_syslog>
<logtags>true</logtags>
</section>
<section name="router">
<router>/etc/zcv/router.cfg</router>
</section>
<section name="misc">
<magic_length>2048</magic_length>
</section>
</configuration>
The ZCV modules have a slightly different structure. The name attribute in the configuration tag of the ZCV module and the section name identifies an instance of that module. Each instance can be run with a different parameter set. The example below shows a complete configuration block for the clamav module, with an instance named intranet having normal, and another named internet having paranoid sensitivity.
<configuration name="clamav">
<section name="internet">
<mode>file</mode>
<scan_packed>1</scan_packed>
<disinfect>0</disinfect>
<scan_suspicious>1</scan_suspicious>
<heuristic_level>normal</heuristic_level>
</section>
<section name="intranet">
<mode>file</mode>
<scan_packed>1</scan_packed>
<disinfect>1</disinfect>
<scan_suspicious>0</scan_suspicious>
<heuristic_level>normal</heuristic_level>
</section>
</configuration>
The router.cfg file
The router.cfg
file controls the scanpath selection in ZCV. ZCV
selects the scanpath based on the meta-information that Zorp supplies. Each line in
router.cfg
comprises from a condition
and an
action
, separated by whitespace. When an incoming request matches a
condition
, the corresponding the action
identifies the scanpath and its instance to be used.
The condition
is a comma separated list of constraints, each
constraint identifying a variable and an expected value in the
header=match,header=match,... format. Wildcard characters like '*' and
'?' can be included in the matches.The following variables are currently defined:
- zcv_rule_group
The name of the rule group that the peer requests. Its value is specified the -R command line option in Zorp mode, or is supplied by the peer during the handshake.
- content_type_detected
MIME type detected based on the first bytes of the file.
- content_type_uncompressed
MIME type detected based on the first bytes of the file looking into a compressed file header and decompressing it if necessary.
- content_type
MIME type as specified by the peer.
- file_name
File name or URL.
- file_extension
File extension. Please note that this information might not be accurate as some URLs do not contain file extension in which case this variable is empty. For example it is common to reference directories in HTTP which implicitly map to a server defined content and the URL does not contain a filename extension as in http://domain.com/directory/. It is better to use content_type or content_type_detected for content specific scanning.
- file_xfer_direction
File transfer direction, either "upload" or "download".
- zorp_protocol
Protocol that was used to transfer the checked file.
- zorp_session_id
Zorp session id that requested content vectoring.
- zorp_proxy_class
The name of the proxy class that requested content vectoring.
- zorp_auth_user
The authenticated username.
- zorp_client_address
Client address in AF_INET(>ipaddr<, >port<) format.
- zorp_client_address.ip
Client IP address.
- zorp_client_address.port
Client TCP/UDP port.
- zorp_client_zone
The name of the client zone.
- zorp_server_address
Server address in AF_INET(>ipaddr<, >port<) format.
- zorp_server_address.ip
Server IP address.
- zorp_server_address.port
Server TCP/UDP port.
- zorp_server_zone
The name of the server zone.
- smtp_envelope_sender
The envelope sender address in SMTP.
- smtp_envelope_recipients
Space separated list of envelope recipient addresses in SMTP.
- nntp_group_name
The name of the NNTP newsgroup name.
- http_request_method
The type of the HTTP request.
- http_request_url
The HTTP request URL.
- http_request_version
The version of the HTTP request (e.g. 1.1).
- http_request_host
The Host header included in the HTTP request.
Furthermore, virtually all defined Zorp variables can be used as variables with the
'zorp.' prefix, which denotes the 'session' object of the stacking proxy. For example:
> zorp.session_id
,
zorp.client_address.ip_s
, etc.
The action
identifies the ZCV scanpath to use.
The example below selects the html
scanpath for all files which
are recognized as "text/html" files, and rejects everything else. An object is scanned only
by the scanpath of the first matching condition.
content_type="text/html" html
content_type_detected="text/html" html
REJECT
Global Options
Global options are stored in the configuration block named zcv. Related options are grouped into sections.
Section log
- use_syslog
Use syslog for logging.
- logtags
Enable the logging of message tags.
- loglevel
Level of verbosity for logging messages. Default value: 3.
- logspec
Set verbosity mask on a per category basis. The format of this value is described in zorp(8).
Section misc
- magic_length
This parameter determines the amount of data (in bytes) read from MIME objects to detect their MIME-type. Higher value increases the precision of MIME-type detection. Default value: 0.
- tempdir
Location of the temporal directory (used for swap files, etc.). Default value:
/var/lib/zorp/tmp
Section router
- router
Location of the
router.cfg
file. Default value:/etc/zcv/router.cfg
Section bind
- ip
IP address to which ZCV binds. Default value:
0.0.0.0
.- port
Port to which ZCV binds. Default value:
1318
.- unix
Bind to a unix domain socket. If only the empty tag is present, the default socket (
/var/run/zcv/zcv.sock
) is used.
When binding to a unix domain socket, the owner and the permissions of the socket can be set using the following paramters:
- owner
The owner of the socket. By default its value is
NULL
, meaning that the owner of the socket is the user running ZCV.- group
The owner group of the socket. Default value:
zorpstate
.- perm
The permission settings of the socket in Unix-style. Default value:
770
.
Section blob
- hiwat
ZCV tries to store everything in the memory if possible. If the memory usage of ZCV reaches
hiwat
, it starts to swap the data onto the hard disk, until the memory usage reacheslowat
. Default value: 128*0x100000 (128 MB).- lowat
Lower threshold of data swapping. Default value: 96*0x100000 (96 MB).
- max_disk_usage
The maximum amount of hard disk space that ZCV is allowed to use. Default value: 1024*0x100000 (1 GB).
- max_mem_usage
The maximum amount of memory that ZCV is allowed to use. Default value: 256*0x100000 (256 MB).
- noswap_max
Objects smaller than this value (in bytes) are never swapped to hard disk. Default value: 16384.
Scanpath Options
The scanpath options are stored in the configuration block named scanpaths. Each section in this block has the name of a scanpath and contains settings specific for the given scanpath.
Settings to control trickling can also be configured here. Content filtering cannot be performed on partial files: the entire file has to be available on the firewall. Sending of the file to the client is started only if no virus was found (or the file was successfully disinfected). Instead of receiving the data in a continuous stream, as when connecting to the server “regularly”, the client does not receive any data for a while, then “suddenly” it starts to flow. This phenomena is not a problem for small files, since these are transmitted and checked fast, probably without the user ever noticing the delay, but can be an issue for larger files when the client application might time out. Another source of annoyance can be when the bandwidth of the network on the client and server side of the firewall is significantly different. In order to avoid time outs, a solution called trickling is used. This means that the firewall starts to send small pieces of data to the client so it feels that it is receiving something and does not time out. For further information on trickling, see the Virus filtering and HTTP Technical White Paper available at the BalaSys Documentation Page at http://www.balasys.hu/en/documentation/
The following options are available for each scanpath:
- plugins
Comma-separated list of colon separated pairs listing the modules to be executed in the scanpath. The colon-separated pairs specify the module and its instance (e.g.:
html:filterscripts, nod32:paranoid
).- quarantine_mode
Quarantine mode to be used. Always the original file is quarantined.
- always
Quarantine all objects rejected for any reason.
- rejected
Quarantine objects that could not be disinfected.
- modified+rejected
Quarantine only the original version of the files which were successfully disinfected. E.g.: if an infected object is found but it is successfully disinfected, the original (infected) object is quarantined. That way, the object is retained even if the disinfection eliminates some important information.
- never
Disable quarantining, objects rejected for any reason are dropped.
- threshold_oversize
Objects larger than
threshold_oversize
(in bytes) are not scanned, because of performance/resource reasons (i.e. large archives, ISO files, etc.).- trickle_mode
Mode of trickling to be used. Default: NONE.
- none
Trickling is disabled.
- percent
Determine the amount of data to be trickled based on the size of the object. Data is sent to the client only when ZCV receives new data; the size of the data trickled is the set percentage of the total data received so far. This is the recommended method to use.
- steady
Trickle fixed amount of data in fixed time intervals.
- trickle_percent
Amount of data to be trickled (percentage). Defailt value: 10.
- trickle_steady_initial_delay
When an object is downloaded, trickling is started after this period (in seconds). Default value: 10.
- trickle_steady_delay
Period (in seconds) between trickling data chunks.
- trickle_steady_bytes
Amount of data (in bytes) that is sent to the client in a chunk during trickling. Default value: 128 bytes.
Modules
The following modules are available in ZCV:
- sed
Filters and rewrites the input in stream similarly to the operation of the UNIX 'sed' command.
- nod32
Performs virus scanning on the incoming data with the NOD32 engine. The data is processed in file mode.
- clamav
Performs virus scanning on the incoming data with the Clam AntiVirus engine. The data is processed in file mode.
- html
Performs JavaScript/Java/ActiveX filtering of HTML data in stream mode.
- spamassassin
Performs spam filtering on the incoming e-mails with the SpamAssassin engine. The data is processed in file mode.
- mail-hdr
Performs filtering and manipulation on the headers of e-mail messages. The data can be processed both in file and stream mode.
- program
Performs filtering and/or manipulation of the data with an external 3rd-party application. The data can be processed either in file and stream mode.
The Sed module
The configuration name of the sed module is sed. This module has the following instance-specific options:
- filter
The stucture of this string is the following: a slash (/), the string to be replaced, a slash (/), the replacement string, and the options. Slashes in the string have to be escaped with backslashes.The folowing options are available:
- -g
Replace all occurances of the string.
- -i
Run in case insensitive mode.
For example, the /example/sample/-g filter replaces all occurances of 'example' to 'sample'.
The NOD32 module
The nod32 module has the following instance-specific options:
- scan_packed
Perform virus scanning on archived files. Default value: YES.
- scan_suspicious
Perform virus scanning on suspicious files (e.g.: suspicious files are often new variants of known viruses). Default value: NO.
- disinfect
Attempt disinfection if a virus is found. Default value: NO.
- heuristic_level
Level of heuristic sensitivity. The available levels are OFF, NORMAL, and HIGH. Default value: OFF.
- archive_max_size
Archives larger than the specified value (in megabytes) are not scanned. Zero means unlimited. Default value: 10.
The clamav module
The configuration name of the Clam AntiVirus module is clamav. The module has the following module options:
- daemon_socket
The domain socket used to communicate with the clamav engine. Default value:
/var/run/clamav/clamd.ctl
The clamav module has the following instance-specific options:
- scan_packed
Perform virus scanning on archived files. Default value: YES.
The SpamAssassin module
The configuration name of the SpamAssassin module is spamassassin. The module has the following instance-specific options::
- check_only
Only check the e-mails, but do not make any modification to the e-mail. The result of the spam filtering is returned to ZCV separately. Default value: FALSE.
- host and port
The hostname and port number of the machine SpamAssassin is running on, if different from the ZCV host.
- socketpath
The domain socket used to communicate with SpamAssassin if it is running on the ZCV host. Default value:
/var/run/spamassassin.sock
- username
The user under which SpamAssassin should filter e-mails. Default value: not set, the user running SpamAssassin is used (
nobody
).- timeout
Timeout value for the scanning requests in milliseconds. Default value:
-1
(unlimited).Note If the timeout is set to unlimited, a 60 second timeout value is used for the connection if SpamAssassin is running on a remote host.
- threshold
The default value of this parameter equals the
required_score
of SpamAssassin (default value: 5). By default, ZCV rejects all e-mails SpamAssassin detects as spam. However, to minimize the impacts of false positive alarms, if the spam status of an e-mail (as calculated by SpamAssassin) is over therequired_score
, but below the value set inthreshold
, ZCV only marks the e-mail as spam, but does reject it. If the spam status of an e-mail is above thethreshold
, it is automatically rejected.
The HTML module
The configuration name of the html module is html.
The html module has the following instance-specific options:
- filter_javascript
Remove javascript from HTML pages. Default value: NO. Enabling this option removes all
javascript
andscript
tags, and the conditional value prefixes (e.g.:onclick
,onreset
, etc.).- filter_activex
Remove ActiveX components from HTML pages. Default value: NO. Enabling this option removes the
applet
tags and theclassid
value prefix.- filter_java
Remove java from HTML pages. Default value: NO. Enabling this option removes the
java:
andapplication/java-archive
inclusions, as well as theapplet
tags.- filter_css
Remove CSS (cascading style sheets) from HTML pages. Default value: NO. Enabling this option removes the single
link
tags, thestyle
tags and options, as well as theclass
options.- filter_custom
A whitespace-separated value of colon separated pairs, specifying the headers, tags, etc. to be removed based on their names or their values.
The following HTML elements can be filtered:
Tags: Remove everything between the specified tag and its closing tag. Embedded structures are also handled. E.g.:
closed-tag:ul
Single tags: Remove all occurrences of the specified single tag (
img
,hr
, etc.). E.g.:tag:hr
Options: Remove options (e.g.:
width
, etc.) and their values. E.g.:option:width
Prefixes: Remove all options starting with the set prefix. E.g.:
prefix:on
will remove all options likeonclick
, etc.- buffer_size
This attribute control the size of the internal buffer of this module
The mail header module
The configuration name of the mail header module is mail-hdr. A
filter contains a pattern (i.e. the header line to be found) enclosed within backslashes
(/
), a whitespace, the action to be performed on the header line, and
an optional argument. The pattern and the argument can be regular expressions. To search for
the pattern in case insensitive mode, add an i
character after the
closing backslash of the pattern. The following actions can be performed on the mail headers:
Append: Add the argument of the filter as a new header line after the match.
Discard: Discard the entire e-mail message. The argument is returned to the mail server sending the message as an error message.
Ignore: Remove the matching header line from the message.
Pass: Accept the matching header line. This action can be used to create exceptions from other filter rules.
Prepend: Add the argument of the filter as a new header line before the match.
Reject: Reject the entire e-mail message. The argument is returned to the sender of the message as an error message.
Replace: Replace the mathing header line to the argument of the filter.
The module has the following instance-specific options::
- filter
The list of filters to be applied on the mail headers. For example:
<filter>
/^Subject: hello$/i DISCARD
/^Date: (.*)/ APPEND "X-Date: \1 \1"
<filter>
- header_wrap_length
If a manipulated header line is longer than this value (in bytes), is will be broken into a new lines. These new lines will not be longer then
header_wrap_length
. Default value:.
- max_line_length
This attribute control the maximum length of a header line
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu