Re: Blocking virus with snort inline 2.6.1.5

["Will Metcalf" <william.metcalf () gmail com>]

What about your RELATED,ESTABLISHED traffic, doesn't that need to be
sent to the QUEUE as well?

Regards,

Will

On 9/22/07, carlopmart <carlopmart () gmail com> wrote:
> Hi all,
>
>   After setting up and solve my problems (thanks to all) with snort
> inline version 2.6.1.5, I will try to do some tests for block virus
> across http service.
>
>   I put this line on snort.conf:
>
>   preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
> dbdir /var/clamav, dbreload-time 43200
>
>   before preprocessor http_inspect. My iptables rule to pass control to
> snort inline is:
>
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>
>   I have try to block eicar virus
> (http://www.eicar.org/download/eicar.com) without luck.
>
>   What am I doing wrong???
>
>   Many thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users