Snort mailing list archives
Re: Blocking virus with snort inline 2.6.1.5
From: carlopmart <carlopmart () gmail com>
Date: Mon, 24 Sep 2007 18:17:38 +0200
carlopmart wrote:
With this rules is the same result, nothing is blocked:iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUE iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUEWill Metcalf wrote:What about your RELATED,ESTABLISHED traffic, doesn't that need to be sent to the QUEUE as well? Regards, Will On 9/22/07, carlopmart <carlopmart () gmail com> wrote:Hi all, After setting up and solve my problems (thanks to all) with snort inline version 2.6.1.5, I will try to do some tests for block virus across http service. I put this line on snort.conf: preprocessor clamav: ports all !22 !443, toclientonly, action-drop, dbdir /var/clamav, dbreload-time 43200 before preprocessor http_inspect. My iptables rule to pass control to snort inline is: iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE I have try to block eicar virus (http://www.eicar.org/download/eicar.com) without luck. What am I doing wrong??? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com-------------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please any hints about this?? P.D: I have attached my snort.conf -- CL Martinez carlopmart {at} gmail {d0t} com
# example Snort_inline configuration file # Last modified 26 October, 2005 # # Standard Snort configuration file modified for inline # use. Most preprocessors currently do not work in inline # mode, as such they are not included. # ### Network variables var HOME_NET 172.25.50.0/24 var EXTERNAL_NET !$HOME_NET var SMTP_SERVERS 172.25.50.15 #var TELNET_SERVERS var HTTP_SERVERS 172.25.50.13 var SQL_SERVERS $HOME_NET var DNS_SERVERS 172.25.50.1 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var SSH_PORTS 22 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] ### As of snort_inline 2.2.0 we drop ### packets with bad checksums. We can config checksum_mode: all # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort_inline # Various config options #config layer2resets ################################################### # Step #2: Configure dynamic loaded libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ################################################### # Step #3: Configure preprocessors preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state drop, memcap 134217728, timeout 3600, \ truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14 preprocessor stream4_reassemble: both, favor_new preprocessor stickydrop: max_entries 3000, log preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000 preprocessor stickydrop-ignorehosts: 172.25.50.0/24 preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200 preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000 preprocessor dns: ports { 53 } enable_rdata_overflow preprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000 #################################################################### # Step #4: Configure output plugins #output alert_unified: filename snort.alert, limit 128 #output log_unified: filename snort.log, limit 128 output alert_full: snort_inline-full output alert_fast: snort_inline-fast # Include classification & priority settings include $RULE_PATH/classification.config include $RULE_PATH/reference.config #################################################################### # Step #6: Customize your rule set #include $RULE_PATH/bleeding-malware.rules #include $RULE_PATH/community-bot.rules #include $RULE_PATH/community-web-client.rules #include $RULE_PATH/exploit.rules #include $RULE_PATH/spyware-put.rules #include $RULE_PATH/web-client.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/bleeding-malware.rules #include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/virus.rules
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Joel Esler (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 (more info) carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)