Snort mailing list archives
Re: Blocking virus with snort inline 2.6.1.5
From: Joel Esler <joel.esler () sourcefire com>
Date: Mon, 24 Sep 2007 12:28:25 -0400
Having never worked with the Clamav preprocessor.. Can you do that? ports all !22 !443? Joel On Sep 24, 2007, at 12:17 PM, carlopmart wrote:
carlopmart wrote:With this rules is the same result, nothing is blocked:iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUE iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUEWill Metcalf wrote:What about your RELATED,ESTABLISHED traffic, doesn't that need to be sent to the QUEUE as well? Regards, Will On 9/22/07, carlopmart <carlopmart () gmail com> wrote:Hi all, After setting up and solve my problems (thanks to all) with snort inline version 2.6.1.5, I will try to do some tests for block virus across http service. I put this line on snort.conf:preprocessor clamav: ports all !22 !443, toclientonly, action- drop,dbdir /var/clamav, dbreload-time 43200before preprocessor http_inspect. My iptables rule to pass control tosnort inline is: iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE I have try to block eicar virus (http://www.eicar.org/download/eicar.com) without luck. What am I doing wrong??? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com------------------------------------------------------------------- ------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPlease any hints about this?? P.D: I have attached my snort.conf -- CL Martinez carlopmart {at} gmail {d0t} com # example Snort_inline configuration file # Last modified 26 October, 2005 # # Standard Snort configuration file modified for inline # use. Most preprocessors currently do not work in inline # mode, as such they are not included. # ### Network variables var HOME_NET 172.25.50.0/24 var EXTERNAL_NET !$HOME_NET var SMTP_SERVERS 172.25.50.15 #var TELNET_SERVERS var HTTP_SERVERS 172.25.50.13 var SQL_SERVERS $HOME_NET var DNS_SERVERS 172.25.50.1 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var SSH_PORTS 22var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0 / 24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188 .153.0/24,205.188.179.0/24,205.188.248.0/24]### As of snort_inline 2.2.0 we drop ### packets with bad checksums. We can config checksum_mode: all # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort_inline # Various config options #config layer2resets ################################################### # Step #2: Configure dynamic loaded librariesdynamicpreprocessor directory /usr/local/lib/ snort_dynamicpreprocessor/dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ################################################### # Step #3: Configure preprocessors preprocessor flow: stats_interval 0 hash 2preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state drop, memcap 134217728, timeout 3600, \truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14 preprocessor stream4_reassemble: both, favor_new preprocessor stickydrop: max_entries 3000, log preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000 preprocessor stickydrop-ignorehosts: 172.25.50.0/24preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/ clamav, dbreload-time 43200 preprocessor http_inspect: global iis_unicode_map $RULE_PATH/ unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500preprocessor rpc_decode: 111 32771 preprocessor bopreprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000 preprocessor dns: ports { 53 } enable_rdata_overflowpreprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/ snort.stats pktcnt 10000#################################################################### # Step #4: Configure output plugins #output alert_unified: filename snort.alert, limit 128 #output log_unified: filename snort.log, limit 128 output alert_full: snort_inline-full output alert_fast: snort_inline-fast # Include classification & priority settings include $RULE_PATH/classification.config include $RULE_PATH/reference.config #################################################################### # Step #6: Customize your rule set #include $RULE_PATH/bleeding-malware.rules #include $RULE_PATH/community-bot.rules #include $RULE_PATH/community-web-client.rules #include $RULE_PATH/exploit.rules #include $RULE_PATH/spyware-put.rules #include $RULE_PATH/web-client.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/bleeding-malware.rules #include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/virus.rules---------------------------------------------------------------------- ---This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005.http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- joel esler http://demo.sourcefire.com/jesler.pgp.key
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Joel Esler (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 (more info) carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)