HAWK
Introduction
Multi Cloud antivirus scanning API based on CLAMAV and YARA for AWS S3, AZURE Blob Storage, GCP Cloud Storage.
Features
- Microservice for scanning stream with YARA and CLAMAV
- Scans S3 Bucket Object
- Moves Clean S3 Objects to another S3 Bucket
- Quarantines Infected S3 Objects to another S3 Bucket
- CLAMAV DB auto is updated to latest
- [TODO] AZURE and GCP support
- [TODO] Merge Various YARA rules to one set
- [TODO] Auto Update YARA rules
- [TODO] Support Yextend
- [TODO] Improve Logging using logrus [https://github.com/antonfisher/nested-logrus-formatter]
- [TODO] Harden Image
API
Available API are
POST /scanstream - scan stream
POST -d '{"bucketname": $S3_BUCKET "key": $S3_OBJECT }' /s3/scanfile - scan s3 file
GET /ruleset/ - list all loaded ruleset
GET /ruleset/{ruleset} - list all rules from a loaded rule
GET /metrics - get metrics
GET /health - get health info
GET / - get index
Installation
Automated builds of the image are available on Registry and is the recommended method of installation.
docker pull hub.docker.com/cloudina/hawk:(imagetag)
The following image tags are available:
latest
- Most recent release of ClamAV with REST API
Quick Start
Run hawk docker image:
docker run -p 9000:9999 -itd --name hawk cloudina/hawk
Test that service detects common test virus signature:
HTTP
$ curl --data "@./testsamples/request/s3filescan" http://0.0.0.0:9000/s3/scanfile -H 'Content-Type: application/json'
{"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}%
$ curl --data "@./testsamples/scanfiles/eicar" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
{"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}
$ curl --data "@./testsamples/scanfiles/hello.txt" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
{"filename":"stream","matches":[],"status":"CLEAN"}
Networking
Port |
Description |
3310 |
ClamD Listening Port |
9999 |
HAWK Container Port |
Debug
For debugging the running container
docker exec -it (whatever your container name is e.g. hawk) /bin/ash
Build
For building
docker build -t (whatever your image name is e.g. hawk) .
Prebuild Image
docker pull cloudina/hawk
Acknowledgements
References