Share on:

How to setup ICAP Filter for DLP and Antivirus protection with OpenIG

Introduction

Internet Content Adaptation Protocol (ICAP) - is a lightweight protocol that is generally used to implement virus scanning and content filtering.

Using ICAP filter in OpenIG allows checking whether the request payload contains malicious data.

Setup Filter

Sample OpenIG ICAP filter configuration is shown in the code snippet below.

{
	"type": "ConditionalFilter",
	"config": {
		"condition": "${not empty system['icap'] and (request.method == 'POST' or request.method == 'PUT')}",
		"delegate": {
			"type": "ICAP",
			"name": "icap-dlp",
			"config": {
				"server": "${system['icap']}",
				"service": "${empty system['icap.service'] ?  '' : system['icap.service']}",
				"rewrite": "${empty system['icap.rewrite'] ?  'true' : system['icap.rewrite']}",
				"connect_timeout": "${empty system['icap.connect_timeout'] ?  '5000' : system['icap.connect_timeout']}",
				"read_timeout": "${empty system['icap.read_timeout'] ?  '20000' : system['icap.read_timeout']}"
			}
		}
	}
}

There are serveral important system parameters:

Parameter Description Default value
icap ICAP connecton string, for example -Dicap=icap://localhost:1344 none
icap.service Service name for REQMOD command icap://localhost/srv_clamav ICAP/1.0 (Depends on DLP provider) /
icap.rewrite Deny sending content to the target service and return a response from the DLP service true
icap.connect_timeout Connection timeout to ICAP, ms 5000
icap.read_timeout ICAP response timeout, ms 20000


Testing Solution

Setup Test ICAP Server

For demo purposes we will use ICAP Docker image

Start ICAP service docker container

docker run --rm --name icap-server -p 1344:1344 toolarium/toolarium-icap-calmav-docker:0.0.1

Optional steps

Login into the container

docker exec -it icap-server /bin/bash

the configuration you will see under

more /etc/c-icap/c-icap.conf

view / tail access-log

tail -f /var/log/c-icap/access.log

view / tail server-log

tail -f /var/log/c-icap/server.log

test with c-icap client inside the container

c-icap-client -v -f entrypoint.sh -s "srv_clamav" -w 1024 -req http://request -d 5

stop service

docker stop icap-server

You can also view ICAP packages using tcpdump tool

sudo tcpdump -vvvs 10240 -l -A port 1344 or 8080 -i lo0

Getting Test Malicious File

Malicious test file can be downloaded here: https://www.eicar.org/?page_id=3950

Deny Content Mode (-Dicap.rewrite=true)

In this mode, the call to the target service is blocked with a denial of access to the client

$ curl -v -T ~/Downloads/eicar.com.txt --output -  http://localhost:8081
*   Trying ::1:8081...
* Connected to localhost (::1) port 8081 (#0)
> PUT /eicar.com.txt HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.72.0
> Accept: */*
> Content-Length: 68
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse


17:32:09.213 [http-bio-8081-exec-1] INFO  net.rfc3507.client.ICAPClient - 
### (SEND) ICAP REQUEST ###
REQMOD icap://localhost/srv_clamav ICAP/1.0
Host: localhost
User-Agent: Java-ICAP-Client/1.1
Allow: 204
Encapsulated: req-body=0

17:32:09.247 [http-bio-8081-exec-1] INFO  net.rfc3507.client.ICAPClient - 
### (RECEIVE) ICAP RESPONSE STATUS ###
ICAP/1.0 200 OK
17:32:09.247 [http-bio-8081-exec-1] INFO  net.rfc3507.client.ICAPClient - 
### (RECEIVE) HTTP RESPONSE HEADER ###
HTTP/1.0 403 Forbidden
Server: C-ICAP
Connection: close
Content-Type: text/html
Content-Language: en

< HTTP/1.1 403 Forbidden
< Connection: close
< Content-Language: en
< Server: C-ICAP
< Content-Type: text/html
< Content-Length: 428
< Date: Wed, 23 Mar 2022 14:32:09 GMT

<html>
 <head>
   <title>VIRUS FOUND</title>
</head>
<body>
<h1>VIRUS FOUND</h1>
You tried to upload/download a file that contains the virus: 
   <b> Win.Test.EICAR_HDB-1 </b>
<br>
The Http location is: 
<b>  - </b>
<p>
  For more information contact your system administrator
 <hr>
<p>
This message generated by C-ICAP service: <b> srv_clamav </b>
<br>Antivirus engine: <b> clamav-01032/26318 </b>
</p>
</body>
</html>

Deny Content Notification Mode (-Dicap.rewrite=false)

In this mode, the call to the target service is not blocked, and the service receives information about the result of the analysis in the request headers.

x-icap-message: OK
x-icap-status: 200
x-infection-found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;
x-violations-found: 1
$curl -v -T ~/Downloads/eicar.com.txt --output -  http://localhost:8081
*   Trying ::1:8081...
* Connected to localhost (::1) port 8081 (#0)
> PUT /eicar.com.txt HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.72.0
> Accept: */*
> Content-Length: 68
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse

17:35:23.662 [http-bio-8081-exec-1] INFO  net.rfc3507.client.ICAPClient - 
### (RECEIVE) ICAP RESPONSE STATUS ###
ICAP/1.0 200 OK
17:35:23.662 [http-bio-8081-exec-1] INFO  net.rfc3507.client.ICAPClient - 
### (RECEIVE) HTTP RESPONSE HEADER ###
HTTP/1.0 403 Forbidden
Server: C-ICAP
Connection: close
Content-Type: text/html
Content-Language: en
 
17:35:23.672 [http-bio-8081-exec-1] INFO  org.forgerock.openig.decoration.capture.CaptureDecorator.capture._router - 
--- (request) id:3590943c-e3c7-4516-8ddf-d806364949e3-1 --->
PUT http://localhost:8081/eicar.com.txt HTTP/1.1
accept: */*
connection: keep-alive
content-length: 68
encapsulated: res-hdr=0
encapsulated: res-body=108
expect: 100-continue
host: localhost:8081
istag: CI0001-ChRmxAEiaz4ONpbclhkR0wAA
server: C-ICAP/0.4.4
user-agent: curl/7.72.0
X-Forwarded-Port: 443
X-Forwarded-Proto: https
x-icap-message: OK
x-icap-status: 200
x-infection-found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;
x-violations-found: 1
 -
 Win.Test.EICAR_HDB-1
 0
 0
[entity]

< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: application/json
< Content-Length: 77
< Date: Wed, 23 Mar 2022 14:35:23 GMT
< 
* Connection #0 to host localhost left intact
{ "error": "Something gone wrong, please contact your system administrator."}

ICAP Denial of Service in -Dicap.rewrite=true Mode

In this mode, the call to the target service is not blocked with logging the cause of failure ERROR org.openidentityplatform.openig.filter.ICAPFilter

$ curl -v -T ~/Downloads/eicar.com.txt --output -  http://localhost:8081
*   Trying ::1:8081...
* Connected to localhost (::1) port 8081 (#0)
> PUT /eicar.com.txt HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.72.0
> Accept: */*
> Content-Length: 68
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse

17:54:37.255 [http-bio-8081-exec-1] ERROR org.openidentityplatform.openig.filter.ICAPFilter - net.rfc3507.client.ICAPException: java.net.ConnectException: Connection refused (Connection refused)
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: application/json
< Content-Length: 77
< Date: Wed, 23 Mar 2022 14:39:39 GMT
< 
* Connection #0 to host localhost left intact
{ "error": "Something gone wrong, please contact your system administrator."}

If you have any additional questions, feel free to ask us!