Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Blocking virus with snort inline 2.6.1.5

from [carlopmart] Network Security [Permanent Link]
Subject: Re: [Snort-users] Blocking virus with snort inline 2.6.1.5
Date: Mon, 24 Sep 2007 18:17:38 +0200
carlopmart wrote: 
With this rules is the same result, nothing is blocked:

iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUE
iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUE

Will Metcalf wrote: 
What about your RELATED,ESTABLISHED traffic, doesn't that need to be
sent to the QUEUE as well?

Regards,

Will

On 9/22/07, carlopmart <carlopmart@gmail.com> wrote: 
Hi all,

  After setting up and solve my problems (thanks to all) with snort
inline version 2.6.1.5, I will try to do some tests for block virus
across http service.

  I put this line on snort.conf:

  preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
dbdir /var/clamav, dbreload-time 43200

  before preprocessor http_inspect. My iptables rule to pass control to
snort inline is:

iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE

  I have try to block eicar virus
(http://www.eicar.org/download/eicar.com) without luck.

  What am I doing wrong???

  Many thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------- 

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





Please any hints about this??

P.D: I have attached my snort.conf
--
CL Martinez
carlopmart {at} gmail {d0t} com

# example Snort_inline configuration file
# Last modified 26 October, 2005
#
# Standard Snort configuration file modified for inline
# use.  Most preprocessors currently do not work in inline
# mode, as such they are not included.
#

### Network variables
var HOME_NET 172.25.50.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 172.25.50.15
#var TELNET_SERVERS
var HTTP_SERVERS 172.25.50.13
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 172.25.50.1

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22

var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

### As of snort_inline 2.2.0 we drop 
### packets with bad checksums. We can 
config checksum_mode: all

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline

# Various config options
#config layer2resets


###################################################
# Step #2: Configure dynamic loaded libraries

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so


###################################################
# Step #3: Configure preprocessors

preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state 
drop, memcap 134217728, timeout 3600, \
                        truncate, window_size 3000, disable_ooo_alerts, 
norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.25.50.0/24
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, 
dbreload-time 43200
preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 
8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 
alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
                cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > 
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce 
yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds 
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
                alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 
500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/snort.stats 
pktcnt 10000


####################################################################
# Step #4: Configure output plugins

#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast

# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config


####################################################################
# Step #6: Customize your rule set

#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/community-bot.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] New Installation, Joel Esler
Next by Date:  Re: [Snort-users] Blocking virus with snort inline 2.6.1.5, Joel Esler
Previous by Thread:  Re: [Snort-users] Blocking virus with snort inline 2.6.1.5, carlopmart
Next by Thread:  Re: [Snort-users] Blocking virus with snort inline 2.6.1.5, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]