clamav?

256 views
Skip to first unread message

Barry Kaplan

unread,
Feb 22, 2016, 11:07:48 AM2/22/16
to ossec-list
Anybody here using clamav? It seems the ossec rules for clamav depend on the syslog format. But clamav-daemon does not run as root, so really it can't scan much of anything. And the clamscan never writes to syslog and its output is in a different format than clamav-daemon. 

Not really an ossec question, but how is clamav useful it cannot see most files?

Pedro S

unread,
Feb 22, 2016, 12:14:12 PM2/22/16
to ossec-list
Hi,

Maybe clamav-rules are out-of-date, last update was 4 years ago but Jesus Linares wrote a few improvements few months ago (ClamAV rules).

If clamscan has a different format the decoders won't work properly, you can test the current decoders and rules using logtest:

/var/ossec/bin/ossec-logtest

Feel free to improve them or paste here some log example so we can figure out how to improve them.

Regards,

Pedro S.

Barry Kaplan

unread,
Feb 23, 2016, 3:10:34 AM2/23/16
to ossec-list
Looks like the clamav rules are just fine. 

Only the clamav daemon writes to syslog. So I added a rsyslog config:

$ModLoad imfile

$InputFileName
{{ clamav_scan_log_file }}
$InputFileTag clamd
:
$InputFileStateFile stat
-{{ clamav_scan_log_file }}

$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor


Then some cron jobs to run clamscan on directories, eg (where I have the EICAR test signature file in /tmp):

clamscan --log=/var/log/clamav/clamav.log --no-summary --infected --remove=no --recursive=yes /tmp

And magically I get alerts in OSSEC. Very very nice.

Jesus Linares

unread,
Feb 23, 2016, 5:10:29 AM2/23/16
to ossec-list
Hi Barry,

It seems your solution is working, but I give you others possible ways to write in syslog:
  • freshclam: edit /etc/clamav/freshclam.conf and set "LogSyslog yes"
  • clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav
    • Example: clamscan --infected -r /usr/share/clamav-testfiles --log=/var/log/clamav/clamav.log --stdout | logger -i -t clamd
  • clamd: I think, clamd writes in syslog by default.
Regards.
Jesus Linares.

Barry Kaplan

unread,
Feb 23, 2016, 6:08:01 AM2/23/16
to ossec-list

On Tuesday, February 23, 2016 at 3:40:29 PM UTC+5:30, Jesus Linares wrote:
 
It seems your solution is working, but I give you others possible ways to write in syslog:
  • freshclam: edit /etc/clamav/freshclam.conf and set "LogSyslog yes"
I had though that freshclam (which is running as service from the apt package) was already logging to syslog, but I see that it is not.

  • clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav
Very nice, I was not aware of logger. I will change over to this. (FYI, the ossec decoder expects the programto be 'clamd' not 'clamav'.)

    • clamd: I think, clamd writes in syslog by default.
Yes, this is what I started with, using clamdscan instead. But clamd runs as clamav user, and hence did not have privs to see pretty much anything. I tried configuring apparmor to give it access specified directories but that did not seem work. 

thanks much Jesus
Reply all
Reply to author
Forward
0 new messages