14.2.1.2. ZCV modules

Each module available in ZCV has its own parameters that can be set separately for each module instance. Some of the modules have global options that apply to all instances of that module, these are also described at the particular module.

The clamav module

The clamav module uses the Clam AntiVirus engine to examine incoming files. It supports only the file mode and only detects infected files; it does not attempt to disinfect them. Starting with Zorp 3.4, the module automatically scans archived files as well.

The HTML module

The HTML module can be used to filter various scripts and tags in HTML pages. It can operate both in file and stream modes.

The HTML module

Figure 14.4. The HTML module

The HTML module has the following options:

  • Enable JavaScript filtering: Remove all JavaScripts. Enabling this option removes all javascript and script tags, and the conditional value prefixes (for example, onclick, onreset, and so on).

  • Enable ActiveX filtering: Remove all ActiveX components. Enabling this option removes the applet tags and the classid value prefix.

  • Enable Java filtering: Remove all Java code references. Enabling this option removes the java: and application/java-archive inclusions, as well as the applet tags.

  • Enable CSS filtering: Remove cascading stylesheet (CSS) elements. Enabling this option removes the single link tags, the style tags and options, as well as the class options.

  • Filter HTML tags: Custom filters can be added to remove certain elements of the HTML code using the New button. The filter can remove the specified values from HTML tags, single tags, options and prefixes (specified through the Filter place combobox). The Filter value specifies the name of the tag/header to be removed.

    Filtering HTML tags

    Figure 14.5. Filtering HTML tags

    The Filter place parameter has the following options:

    In tags: Remove everything between the specified tag and its closing tag. Embedded structures are also handled.

    In single tags: Remove all occurrences of the specified single tag. A single tag is a tag that does not have a closing element, for example, img, hr, and so on.

    In options: Remove options and their values, for example, width, and so on.

    In prefixes: Remove all options starting with the string set as Filter value. The on option will, for example, remove all options like onclick, and so on.

Note

The HTML module is designed to process only text data. It cannot handle binary data, thus directing binary files to the module should be avoided.

The NOD32 module

The NOD32 module uses the NOD32 virus filtering engine to examine incoming files. It supports only the file mode.

The NOD32 module

Figure 14.6. The NOD32 module

The module has the following parameters:

  • Scan packed: It enables or disables virus scanning on archived files.

  • Scan suspicious: It enables or disables virus scanning on suspicious files (for example, suspicious files are often new variants of known viruses).

  • Heuristic scan level: It defines the level of heuristic (non-database based) sensitivity. The available levels are OFF, and NORMAL.

  • Archive max size: It defines the maximum unpacked size (megabytes) of a single archive scanned. If a 2.5 MB .zip file, for example, contains a file that is 80 MB uncompressed, and the Archive max size option is set to 10 MB, the file will not be scanned for viruses. However, if the Archive max size option is set to 100 MB, ZCV will scan the file.

Note

The ESET's NOD32 module tries to resolve reverse host names of all the locally assigned IP addresses, on static, VLAN and TUN interfaces (except for loopbacks) for licensing purposes at ZCV startup. To ensure the fastest ZCV startup and restart, the reverse host names must be available through DNS service or via the hosts file. If there is a DNS service but the reverse names are not available, quick NXDOMAIN responses are sufficient as well. Without a DNS service the NOD32 plugin does not work and gives license activation related error log messages.

The mail header filtering (mail-hdr) module

The mail-hdr module can filter and maniputale e-mail headers in both stream and file modes. It scans the incoming e-mail (stream or file) using regular expressions and deletes or modifies the matching headers. New headers can also be inserted into the mails.

Warning

E-mail headers are processed and manipulated line-by-line. However, a header can span multiple lines.

A single instance can include multiple filters; the order, these filters are processed, can be set using the arrow buttons. Each filter consists of a pattern, an action that is performed when the pattern is found, and an argument (for example, a replacement header). Note that not every action requires an argument.

Filtering mail headers

Figure 14.7. Filtering mail headers

A filter has the following parameters:

  • Header pattern: It is the search string to be found in the headers. Regular expressions can be used. The following options are also available for regular expressions:

  • Action: It is the action to be performed on the header line or the whole message if the pattern is found in the message. The following actions are available:

    • Append: Add the argument of the filter as a new header line after the match.

    • Discard: Discard the entire e-mail message. The argument is returned to the mail server sending the message as an error message.

    • Ignore: Remove the matching header line from the message.

    • Pass: Accept the matching header line. This action can be used to create exceptions from other filter rules.

    • Prepend: Add the argument of the filter as a new header line before the match.

    • Reject: Reject the entire e-mail message. The argument is returned to the sender of the message as an error message.

    • Replace: Replace the matching header line to the argument of the filter.

  • Argument: The Regular expression will be replaced with this string if found in the stream. The replacement can contain \n (n being a number from 1 to 9, inclusive) references, which refer to the portion of the match which is contained between the nth \( and its matching \). Also, the replacement can contain unescaped & characters which will reference the whole matched portion of the pattern space.

  • Case insensitive: The case sensitive mode can be disabled by selecting this checkbox.

The mime module

The mime module inspects and filters MIME objects (that is, mail attachments). It can check the MIME headers that describe the objects for validity, and also call a virus filtering ZCV module to scan the object for viruses. The mime module supports only file mode. The module has the following parameters:

  • Maximum number of headers: It is the maximal number of headers permitted in a MIME object. The object is removed if it exceeds this limit.

  • Maximum length of a header: It is the maximal length of a header in characters. It applies to the total length of the header. The header is removed if it exceeds this limit.

  • Maximum length of a header line: It is the maximal length of a header line in characters. It applies to every single line of the header. The header is removed if it exceeds this limit.

  • Ignore invalid headers: If it is enabled, headers not complying to the related RFCs or violating the limits set in the previous options are automatically removed (dropped).

    Warning

    If Ignore invalid headers is disabled and an invalid header is found, the entire object (for example, e-mail) is rejected.

  • Silently drop rejected attachment: By default, the mime ZCV module replaces the removed objects (attachments) with the following note that informs the recipient of the message about the removed attachments: The original content of this attachment was rejected by local policy settings. If the Silently drop rejected attachment option is enabled, no note is added to the e-mail.

  • Enable rewriting messages: If it is disabled, the mime module does not modify the messages.

  • Set mime entity to append: The mime ZCV module can automatically add a MIME object to the inspected messages. To use this feature, verify that the Enable rewriting messages option is enabled, select Set mime entity to append, paste the MIME object into the appearing dialog box, and select OK.

Options of the mime module

Figure 14.8. Options of the mime module

To scan the actual MIME objects (for example, the attachments of an e-mail) for viruses, a special rule group has to be created, called mime-data. Use this as the name of the rule group, and add a virus filtering module (for example, clamav) to this rule group. When the mime module is scanning an e-mail message, it inspects the attachments, then pass the attachment to the mime-data rule group to scan for viruses. See Section 14.2.3, Routers and rule groups for details on creating rule groups.

The program module

The program module is a general wrapper for third-party applications capable of working in stream or file mode. The stream or file is passed to the application set in the Program field.

A single instance can include multiple filters; the order these filters are processed can be set using the arrow buttons.

A program module has the following parameters:

  • Program: It is the application to be executed.

  • Timeout: If the application set in the Program field does not provide a return value within this interval, it is assumed to be frozen.

  • The program may modify the data: The program may make changes to the data and return the modified version to ZCV.

The stream editor (sed) module

The sed module is a stream editor capable of working in both stream and file mode. It scans the target stream and replaces the string to be found (specified as a regular expression) with another string.

The stream editor module

Figure 14.9. The stream editor module

Warning

This module is similar to, but not identical with the common UNIX sed command.

A single instance can include multiple filters; the order these filters are processed can be set using the arrow buttons.

Filtering with the stream editor module

Figure 14.10. Filtering with the stream editor module

A filter has the following parameters:

  • Regular expression: It is the search string to be found in the stream. Regular expressions can be used. The following options are also available for regular expressions:

  • Replacement: The Regular expression will be replaced with this string if found in the stream. The replacement can contain \n (n being a number from 1 to 9, inclusive) references, which refer to the portion of the match which is contained between the nth \( and its matching \). Also, the replacement can contain unescaped & characters which will reference the whole matched portion of the pattern space.

  • Global: Replace all occurrences of the search string. If it is not checked in, the filter will replace only the first occurrence of the string.

  • Case insensitive: Disable case sensitive mode.

The spamassassin module

The spamassassin module uses the Spamassassin spam filtering engine to examine incoming e-mails. It supports only the file mode.

The Spamassassin module

Figure 14.11. The Spamassassin module

The module has the following parameters:

  • Policy-related options

    • Reject messages over the threshold: Reject the message only if it is in spam status. By default, SpamAssassin rejects all e-mails with a spam status (called required_score in SpamAssassin terminology) higher than 5 as spam. However, to minimize the impact of false positive alarms, if the spam status of an email (as calculated by SpamAssassin) is over the required_score, but below the value set in threshold, ZCV only marks the e-mail as spam, but does not reject it. If the spam status of an e-mail is above the threshold, it is automatically rejected.

    • Reject messages as spamd dictates: Reject all e-mails detected as spam by SpamAssassin.

    • Add spam related headers to accepted messages: Append headers to the e-mail containig information about SpamAssassin, the spam status of the e-mail, and so on. Sample headers are presented below.

      X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mailserver.example.com X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.3
  • Server address

    • Local: SpamAssassin is running on the same host as ZCV. In this case, communication is performed through a UNIX domain socket.

    • Network: SpamAssassin is running on a remote machine. Specify its address and the port SpamAssassin is accepting connections in the Host and Port fields, respectively.

  • Other options

    • Profile name: The user under which SpamAssassin should filter e-mails. Default value: not set, the user running SpamAssassin is used (usually nobody).

    • Timeout: It is the timeout value for SpamAssassin.

The ModSecurity module

Zorp Professional is already capable of providing protection for various web servers with SSL termination, however, the proxy, controlling the HTTP protocol is responsible for following the RFC, the Zorp Content Vectoring System System NOD32 and other modules are responsible for the virus filtering of the transferred content. Now, these solutions can be complemented with a web application-level security gateway module.

ModSecurity can be integrated to Zorp's HTTP proxy with the help of the Zorp Content Vectoring System (ZCV) module. It ensures an additional, independent level of protection for the web servers, achieving this with the help of the transferred HTTP headers, the concurrent analysis of data and the application of the relevant policies (Free: 'OWASP ModSecurity Core Rule Set (CRS) Version 3' or professional: 'Commercial Rules from Trustwave SpiderLabs'). With the help of this solution the malware and non-trustworthy HTTP requests get blocked usually already on the Zorp Professional and cannot reach the web server.