6 Replies Latest reply on Dec 12, 2013 2:47 PM by twisted_pony

    MWG 7 and custom ICAP log file creation.

    twisted_pony

      Hi,

       

      I have a client who is using a MWG 7 purely as an ICAP server...they are presenting documents via ICAP for AV scanning to it and it is working perfectly...passing clean content and blocking infected content.

       

      I am trying to write a seperate custom user defined log file  (Custom.log) that will show ALL of the ICAP connections and codes for all of the ICAP connections to the MWG.

       

      I am using the default Log Handler to do this..it is sat below the access.log

       

      This is the log header i am using:

       

      #time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name" "ICAP.ReqMod.ResponseHeader.Get" "ICAP.RespMod.ResponseHeader.Get"

       

      I have added "ICAP.ReqMod.ResponseHeader.Get" and  "ICAP.RespMod.ResponseHeader.Get" into the events section of the relevant log rule..configured using a * wildcard...which should collect all?

       

      However, whilst the custom.log file displays the correct headers and is using the correct headers (I think?) and although I am sending files to the MWG via ICAP that i can see are being scanned by the AV engine...my custom.log file seems to have no ICAP additional information displayed..

       

      Can anyone describe how or where I am going wrong...or can show me how to achieve the above if I am way off:-)

       

      Thanks,

        • 1. Re: MWG 7 and custom ICAP log file creation.

          If I read this correctly, you are attempting to do header.get(*) ?

          I don't think that will work. You have to explicitly name each header you want.

          • 2. Re: MWG 7 and custom ICAP log file creation.
            twisted_pony

            Hi,

             

            Thanks for your help:-)

             

            All i am trying to do is grab all of the ICAP headers that are passed between the MWG and the ICAP client and put them into a log file, when traffic is passed between them

             

            Do you know what i need to put into the events section of the rule?

             

            Thanks,

            • 3. Re: MWG 7 and custom ICAP log file creation.

              The ICAP request from the client would have to list each expected header from the client. There are very few that are ever used. Typically the only sent headers are:

              X-Client-IP

              X-Authenticated-User

              X-Authenticated-Groups

               

              But those are just a convention and are not commonly used with a custom ICAP client. They are usually when another proxy is using MWG as an ICAP server. If there are any others that the client sends, you have to enumerate and capture it specifically.

               

              For responses that are returned from MWG to the ICAP client, there are no automatic default ones that are returned back. Any header sent back in an ICAP response is going to be explicitly defined in the policy which means you already know it's value when it goes thru the policy.

               

              For example, if you do a media type check and put the MediaType.EnsuredTypes into an ICAP header with Header.ICAP.response.add(X-Media-Type, List.ofMediaType.toString(EnsuredTypes))

               

              Then you could log the ensured MediaType field or the specific X-Media-Type header.

               

              So there's no way to capture all the headers with a *, but there are no unexpected values that you cannot account for because they are always explicitly added in the policy.

              • 4. Re: MWG 7 and custom ICAP log file creation.
                twisted_pony

                Hi eelsasser,

                 

                Okay..thanks for the help so far:-)

                 

                So wild cards are are not to be used..okay.

                Seems that the headers sent by the ICAP client are quite limited then?

                 

                So...

                As you can see from :

                 

                #time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name" "ICAP.ReqMod.ResponseHeader.Get" "ICAP.RespMod.ResponseHeader.Get"

                 

                I am collecting the source of the ICAP connection, and whether it is being blocked or not currently..if it is allowed I get a 0, if blocked I get a 1.

                 

                What the client wants to see is a log file showing any ICAP codes (as shown below...I believe): I appreciate that some will never occur, and that others are not necessarily needed, but how can I acheive this using MWG 7?

                 

                CodeDescription
                100Continue after ICAP preview.

                (2yz) Success codes:

                CodeDescription
                204No modifications needed.

                (4yz) Client error codes:

                CodeDescription
                400Bad request.
                404ICAP Service not found.
                405Method not allowed for service (e.g., RESPMOD requested for service that supports only REQMOD).
                408Request timeout. ICAP server gave up waiting for a request from an ICAP client.

                (5yz) Server error codes:

                CodeDescription
                500Server error. Error on the ICAP server, such as "out of disk space".
                501Method not implemented. This response is illegal for an OPTIONS request since implementation of OPTIONS is mandatory.
                502Bad Gateway. This is an ICAP proxy and proxying produced an error.
                503Service overloaded. The ICAP server has exceeded a maximum connection limit associated with this service; the ICAP client should not exceed this limit in the future.
                505ICAP version not supported by server.


                I am assuming that i woudl not need "ICAP.ReqMod.ResponseHeader.Get" "ICAP.RespMod.ResponseHeader.Get" in the event section of the log rule?

                 

                Thanks,

                • 5. Re: MWG 7 and custom ICAP log file creation.

                  Ahh.. the icap response status codes.

                  Those are not headers and they are not loggable as a property.

                  • 6. Re: MWG 7 and custom ICAP log file creation.
                    twisted_pony

                    Hi eelsasser,

                     

                    I had a feeling that you were going to say that about the response codes.

                     

                    Thanks for your help so far:-)

                     

                    So...what  I have done so far:

                     

                    #time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name" "ICAP.ReqMod.ResponseHeader.Get" "ICAP.RespMod.ResponseHeader.Get"

                     

                     

                    So as it stands using "ICAP.ReqMod.ResponseHeader.Get" can only be used with

                     

                    X-Client-IP

                    X-Authenticated-User

                    X-Authenticated-Groups

                     

                    Of which I already have the src_ipstatus_code for the source IP and auth_user for the autheticated user....so seems hardly worth it?

                     

                    and "ICAP.RespMod.ResponseHeader.Get" is not of much use here..

                     

                    I could do as you suggest and use:

                     

                    MediaType.EnsuredTypes into an ICAP header with Header.ICAP.response.add(X-Media-Type, List.ofMediaType.toString(EnsuredTypes)) to check that the file presented was in fact the actual file type presented rather than just a renamed extension...and i could then use as you suggest the below in a log file

                     

                    ensured MediaType field or the specific X-Media-Type header.

                     

                    Is there a McAfee example of a rule set that does all the relevant logging of ICAP traffic that I could download and test? I seem to recall that there were some rulesets available for download, but i cannot remember where from?

                     

                    Thanks,