Snort mailing list archives
snort 2.4.3 Clamav problems
From: Lezgin Bakircioglu <lerra82 () gmail com>
Date: Thu, 11 May 2006 10:30:54 +0200
Hi, I have a huge problem that I have struggled for 4 days now and I am going crazy. The problem is that it only find virus that I am trying to download from port 21 and not 80 and 139. It workt 1-2 weeks ago for all ports but now I have no idea what I did wrong, the output of snort says that its listning on all ports both for steam4 and clamav but it does not trigger.
I have a snort 2.4.3 witch applyed spade and Clamav patch, this is how I installed it:
tar zxfv snort-2.4.3.tar.gz cd snort-2.4.3 patch -p1 < ../../spade-2.4.3.diff patch -p1 <../../snort-2.4.3-clamonly.diff autoconf -f ./configure --enable-clamav sh autojunk.sh makeFailed compilation, adding spp_clamav.$(OBJEXT) to am_libspp_a_OBJECTS (line 129)
make make install This is my snort.conf: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.1$
var RULE_PATH ../rules config disable_decode_alerts preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both, ports all preprocessor clamav: ports all, toclientonly, dbdir /var/lib/clamav, preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low }preprocessor xlink2The machine that I am running on is my gateway that nat me out, on the external network i have a smb/ftp and www service that is sharing a known testvirus clamav triggers on.
Traceroute to the machine shows me that I am going the right way. Running kernel is 2.6.16 and dist debian sarge 3.1.state: ports { 25 691 } include classification.config include reference.config This is the output of snort -c snort.conf -i eth0 -A console Running in IDS mode Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Bound Addresses: 0.0.0.0/0.0.0.0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1WARNING snort.conf.ba(19) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... ClamAV config: Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... Virus definitions dir: '/var/lib/clamav' Virus DB reload time: '43200' Scan only traffic to the client File descriptor scanning mode: Enabled, using cl_scandesc Directory for tempfiles (file descriptor mode): '/tmp' LibClamAV Warning: ******************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: ******************************************************** LibClamAV Warning: ******************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: ******************************************************** HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: ./unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NOdbreload-t$ Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IPDetect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 X-Link2State Config: Ports: 25 691 0 Snort rules read... 0 Option Chains linked into 0 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->drop->alert->pass->log Log directory = /var/log/snort --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.4.3 (Build 26)'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al. NOTE: Snort's default output has changed in version 2.4.1! The default logging mode is now PCAP, use "-K ascii" to activate the old default logging mode.The machine that I am running on is my gateway that nat me out, on the external network i have a smb/ftp and www service that is sharing a known testvirus clamav triggers on.
Traceroute to the machine shows me that I am going the right way. Running kernel is 2.6.16 and dist debian sarge 3.1. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.4.3 Clamav problems Lezgin Bakircioglu (May 11)