Snort mailing list archives
Re: Blocking virus with snort inline 2.6.1.5
From: carlopmart <carlopmart () gmail com>
Date: Mon, 24 Sep 2007 18:17:38 +0200
carlopmart wrote:
With this rules is the same result, nothing is blocked:iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUE iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j QUEUEWill Metcalf wrote:What about your RELATED,ESTABLISHED traffic, doesn't that need to be sent to the QUEUE as well? Regards, Will On 9/22/07, carlopmart <carlopmart () gmail com> wrote:Hi all, After setting up and solve my problems (thanks to all) with snort inline version 2.6.1.5, I will try to do some tests for block virus across http service. I put this line on snort.conf: preprocessor clamav: ports all !22 !443, toclientonly, action-drop, dbdir /var/clamav, dbreload-time 43200 before preprocessor http_inspect. My iptables rule to pass control to snort inline is: iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE I have try to block eicar virus (http://www.eicar.org/download/eicar.com) without luck. What am I doing wrong??? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com-------------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please any hints about this??
P.D: I have attached my snort.conf
--
CL Martinez
carlopmart {at} gmail {d0t} com
# example Snort_inline configuration file
# Last modified 26 October, 2005
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET 172.25.50.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 172.25.50.15
#var TELNET_SERVERS
var HTTP_SERVERS 172.25.50.13
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 172.25.50.1
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline
# Various config options
#config layer2resets
###################################################
# Step #2: Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
###################################################
# Step #3: Configure preprocessors
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state drop, memcap 134217728, timeout 3600, \
truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.25.50.0/24
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200
preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity
MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE
MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT }
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN }
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000
####################################################################
# Step #4: Configure output plugins
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
####################################################################
# Step #6: Customize your rule set
#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/community-bot.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Joel Esler (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 (more info) carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)