[Nolug] web malware blocker

From: Joey Kelly <joey_at_joeykelly.net>
Date: Mon, 4 Oct 2004 16:08:54 -0500
Message-Id: <200410041608.54115.joey@joeykelly.net>

Y'all,

I've come up with an interesting project. As most of you know, it is possible
to filter for viruses on the mail server, using amavis-new and clamav with
postfix, for example. I would like to filter web traffic in a similar manner,
using available open source tools whenever possible.

The best setup would be to find a web proxy engine that allowed plugins, which
would enable me to write just the scanning plugin. I don't yet know if squid
(my preferred proxy) allows this.

The next best thing, in my mind, is to do something like amavis does for
sendmail. In that scenario, you run 2 copies of sendmail, with amavis sitting
between them, such that all email passes through amavis and whatever scanners
amavis is configured to use. Bringing this configuration over to my project.
I envision running 2 instances of squid on different ports, telling the
user-facing proxy (the one the browser is configured to use) to fetch
everything from an upstream proxy. In between the two, I run my malware
scanner. Remember, #3 is profit, but #2 is the hard part ;-)

Here are a few random thoughts...

Clamav can be run as a standalone daemon, accepting discrete files. If will
also can a file or directory if you tell it to. It will give you a thumbs-up
or thumbs-down, the output of which can be used to feed bad URLs to a
blocklist which the internal copy of squid can make use of.

I'm worried about speed problems, but the cost of piping everything though a
scanner might be offset by the fact that we're running a cache, after all.

Web malware can be defined as virii, spyware, cross-site scripting, bad
javascript, etc.. I wouldn't know how to scan for much except viruses, but
others can write plugins if we can come up with a working framework for
scanning web traffic.

Thanks for reading. All feedback is welcome. Help is even more welcome :-)

-- 
Joey Kelly
< Minister of the Gospel | Linux Consultant >
http://joeykelly.net
"I may have invented it, but Bill made it famous."
 --- David Bradley, the IBM employee that invented CTRL-ALT-DEL
___________________
Nolug mailing list
nolug@nolug.org
Received on 10/04/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST