Each module available in ZCV has its own parameters that can be set separately for each module instance. Some of the modules have global options that apply to all instances of that module, these are also described at the particular module.
The clamav module uses the Clam AntiVirus engine to examine incoming files. It supports only the file mode and only detects infected files; it does not attempt to disinfect them. Starting with Zorp 3.4, the module automatically scans archived files as well.
The HTML module can be used to filter various scripts and tags in HTML pages. It can operate both in file and stream modes.
The HTML module has the following options:
: Remove all JavaScripts. Enabling this option removes all
javascriptandscripttags, and the conditional value prefixes (for example,onclick,onreset, and so on).: Remove all ActiveX components. Enabling this option removes the
applettags and theclassidvalue prefix.: Remove all Java code references. Enabling this option removes the
java:andapplication/java-archiveinclusions, as well as theapplettags.: Remove cascading stylesheet (CSS) elements. Enabling this option removes the single
linktags, thestyletags and options, as well as theclassoptions.: Custom filters can be added to remove certain elements of the HTML code using the button. The filter can remove the specified values from HTML tags, single tags, options and prefixes (specified through the combobox). The specifies the name of the tag/header to be removed.
The parameter has the following options:
: Remove everything between the specified tag and its closing tag. Embedded structures are also handled.
: Remove all occurrences of the specified single tag. A single tag is a tag that does not have a closing element, for example,
img,hr, and so on.: Remove options and their values, for example,
width, and so on.: Remove all options starting with the string set as . The
onoption will, for example, remove all options likeonclick, and so on.
| Note |
|---|
The HTML module is designed to process only text data. It cannot handle binary data, thus directing binary files to the module should be avoided. |
The NOD32 module uses the NOD32 virus filtering engine to examine incoming files. It supports only the file mode.
The module has the following parameters:
: It enables or disables virus scanning on archived files.
: It enables or disables virus scanning on suspicious files (for example, suspicious files are often new variants of known viruses).
: It defines the level of heuristic (non-database based) sensitivity. The available levels are
OFF, andNORMAL.: It defines the maximum unpacked size (megabytes) of a single archive scanned. If a 2.5 MB .zip file, for example, contains a file that is 80 MB uncompressed, and the option is set to 10 MB, the file will not be scanned for viruses. However, if the option is set to 100 MB, ZCV will scan the file.
| Note |
|---|
The ESET's NOD32 module tries to resolve reverse host names of all the locally assigned IP addresses, on static, VLAN and TUN interfaces (except for loopbacks) for licensing purposes at ZCV startup. To ensure the fastest ZCV startup and restart, the reverse host names must be available through DNS service or via the hosts file. If there is a DNS service but the reverse names are not available, quick |
The mail-hdr module can filter and maniputale e-mail headers in both stream and file modes. It scans the incoming e-mail (stream or file) using regular expressions and deletes or modifies the matching headers. New headers can also be inserted into the mails.
| Warning |
|---|
E-mail headers are processed and manipulated line-by-line. However, a header can span multiple lines. |
A single instance can include multiple filters; the order, these filters are processed, can be set using the arrow buttons. Each filter consists of a pattern, an action that is performed when the pattern is found, and an argument (for example, a replacement header). Note that not every action requires an argument.
A filter has the following parameters:
: It is the search string to be found in the headers. Regular expressions can be used. The following options are also available for regular expressions:
: It is the action to be performed on the header line or the whole message if the pattern is found in the message. The following actions are available:
Append: Add the argument of the filter as a new header line after the match.
Discard: Discard the entire e-mail message. The argument is returned to the mail server sending the message as an error message.
Ignore: Remove the matching header line from the message.
Pass: Accept the matching header line. This action can be used to create exceptions from other filter rules.
Prepend: Add the argument of the filter as a new header line before the match.
Reject: Reject the entire e-mail message. The argument is returned to the sender of the message as an error message.
Replace: Replace the matching header line to the argument of the filter.
: The will be replaced with this string if found in the stream. The replacement can contain \n (n being a number from 1 to 9, inclusive) references, which refer to the portion of the match which is contained between the nth \( and its matching \). Also, the replacement can contain unescaped & characters which will reference the whole matched portion of the pattern space.
: The case sensitive mode can be disabled by selecting this checkbox.
The mime module inspects and filters MIME objects (that is, mail attachments). It can check the MIME headers that describe the objects for validity, and also call a virus filtering ZCV module to scan the object for viruses. The mime module supports only file mode. The module has the following parameters:
: It is the maximal number of headers permitted in a MIME object. The object is removed if it exceeds this limit.
: It is the maximal length of a header in characters. It applies to the total length of the header. The header is removed if it exceeds this limit.
: It is the maximal length of a header line in characters. It applies to every single line of the header. The header is removed if it exceeds this limit.
: If it is enabled, headers not complying to the related RFCs or violating the limits set in the previous options are automatically removed (dropped).
Warning If is disabled and an invalid header is found, the entire object (for example, e-mail) is rejected.
: By default, the
mimeZCV module replaces the removed objects (attachments) with the following note that informs the recipient of the message about the removed attachments: The original content of this attachment was rejected by local policy settings. If the option is enabled, no note is added to the e-mail.: If it is disabled, the
mimemodule does not modify the messages.: The
mimeZCV module can automatically add a MIME object to the inspected messages. To use this feature, verify that the option is enabled, select , paste the MIME object into the appearing dialog box, and select .
To scan the actual MIME objects (for example, the attachments of an e-mail) for viruses, a special rule group has to be created, called mime-data. Use this as the name of the rule group, and add a virus filtering module (for example, clamav) to this rule group. When the mime module is scanning an e-mail message, it inspects the attachments, then pass the attachment to the mime-data rule group to scan for viruses. See Section 14.2.3, Routers and rule groups for details on creating rule groups.
The program module is a general wrapper for third-party applications capable of working in stream or file mode. The stream or file is passed to the application set in the field.
A single instance can include multiple filters; the order these filters are processed can be set using the arrow buttons.
A program module has the following parameters:
: It is the application to be executed.
: If the application set in the field does not provide a return value within this interval, it is assumed to be frozen.
: The program may make changes to the data and return the modified version to ZCV.
The sed module is a stream editor capable of working in both stream and file mode. It scans the target stream and replaces the string to be found (specified as a regular expression) with another string.
| Warning |
|---|
This module is similar to, but not identical with the common UNIX sed command. |
A single instance can include multiple filters; the order these filters are processed can be set using the arrow buttons.
A filter has the following parameters:
: It is the search string to be found in the stream. Regular expressions can be used. The following options are also available for regular expressions:
: The will be replaced with this string if found in the stream. The replacement can contain \n (n being a number from 1 to 9, inclusive) references, which refer to the portion of the match which is contained between the nth \( and its matching \). Also, the replacement can contain unescaped & characters which will reference the whole matched portion of the pattern space.
: Replace all occurrences of the search string. If it is not checked in, the filter will replace only the first occurrence of the string.
: Disable case sensitive mode.
The spamassassin module uses the Spamassassin spam filtering engine to examine incoming e-mails. It supports only the file mode.
The module has the following parameters:
Policy-related options
Reject messages over the threshold: Reject the message only if it is in spam status. By default, SpamAssassin rejects all e-mails with a spam status (called
required_scorein SpamAssassin terminology) higher than 5 as spam. However, to minimize the impact of false positive alarms, if the spam status of an email (as calculated by SpamAssassin) is over therequired_score, but below the value set in threshold, ZCV only marks the e-mail as spam, but does not reject it. If the spam status of an e-mail is above the threshold, it is automatically rejected.Reject messages as spamd dictates: Reject all e-mails detected as spam by SpamAssassin.
Add spam related headers to accepted messages: Append headers to the e-mail containig information about SpamAssassin, the spam status of the e-mail, and so on. Sample headers are presented below.
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mailserver.example.com X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.3
Server address
Local: SpamAssassin is running on the same host as ZCV. In this case, communication is performed through a UNIX domain socket.
Network: SpamAssassin is running on a remote machine. Specify its address and the port SpamAssassin is accepting connections in the and fields, respectively.
Other options
Profile name: The user under which SpamAssassin should filter e-mails. Default value: not set, the user running SpamAssassin is used (usually
nobody).Timeout: It is the timeout value for SpamAssassin.
Zorp Professional is already capable of providing protection for various web servers with SSL termination, however, the proxy, controlling the HTTP protocol is responsible for following the RFC, the Zorp Content Vectoring System System NOD32 and other modules are responsible for the virus filtering of the transferred content. Now, these solutions can be complemented with a web application-level security gateway module.
ModSecurity can be integrated to Zorp's HTTP proxy with the help of the Zorp Content Vectoring System (ZCV) module. It ensures an additional, independent level of protection for the web servers, achieving this with the help of the transferred HTTP headers, the concurrent analysis of data and the application of the relevant policies (Free: 'OWASP ModSecurity Core Rule Set (CRS) Version 3' or professional: 'Commercial Rules from Trustwave SpiderLabs'). With the help of this solution the malware and non-trustworthy HTTP requests get blocked usually already on the Zorp Professional and cannot reach the web server.
Published on March 04, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
