should be fine..... Are you by chance going through a proxy server?
Regards,
Will
On 9/24/07, Joel Esler <joel.esler@sourcefire.com> wrote:
Having never worked with the Clamav preprocessor.. Can you do that?
ports all !22 !443?
Joel
On Sep 24, 2007, at 12:17 PM, carlopmart wrote:
carlopmart wrote:
With this rules is the same result, nothing is blocked:
iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
QUEUE
iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
QUEUE
Will Metcalf wrote:
What about your RELATED,ESTABLISHED traffic, doesn't that need to be
sent to the QUEUE as well?
Regards,
Will
On 9/22/07, carlopmart <carlopmart@gmail.com> wrote:
Hi all,
After setting up and solve my problems (thanks to all) with snort
inline version 2.6.1.5, I will try to do some tests for block virus
across http service.
I put this line on snort.conf:
preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
dbdir /var/clamav, dbreload-time 43200
before preprocessor http_inspect. My iptables rule to pass control to
snort inline is:
iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
I have try to block eicar virus
(http://www.eicar.org/download/eicar.com) without luck.
What am I doing wrong???
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please any hints about this??
P.D: I have attached my snort.conf
--
CL Martinez
carlopmart {at} gmail {d0t} com
# example Snort_inline configuration file
# Last modified 26 October, 2005
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET 172.25.50.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 172.25.50.15
#var TELNET_SERVERS
var HTTP_SERVERS 172.25.50.13
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 172.25.50.1
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline
# Various config options
#config layer2resets
###################################################
# Step #2: Configure dynamic loaded libraries
dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor/
dynamicengine
/usr/local/lib/snort_dynamicengine/libsf_engine.so
###################################################
# Step #3: Configure preprocessors
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state
drop, memcap 134217728, timeout 3600, \
truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.25.50.0/24
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
dbreload-time 43200
preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map
1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt
{ USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level {
low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file
/var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000
####################################################################
# Step #4: Configure output plugins
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
####################################################################
# Step #6: Customize your rule set
#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/community-bot.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
joel esler
http://demo.sourcefire.com/jesler.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
