Menu
▾
▴
[Snort-inline-users] ClamAV+stream4 iptables state+ sighup patch for snort-2.2.0
|
From: William M. <Wil...@kc...> - 2004-08-13 22:27:36
|
Alright,
Coming in an e-mail following this is a diff for snort_inline-2.2.0 +
ClamAV preproc+ iptables state +sighup. Once again Victor Julien did t=
he
majority of the work on this preproc, and deserves a thank you from all=
that find use for it. On to the preproc, you can enable the ClamAV
preprocessor by running ./configure --enable-clamav. You can specify t=
he
include directory by doing ./configure --enable-clamav
---with-clamav-includes=3DDIR if clamav.h can't be found by the configu=
re or
if the dbdir can't be found you may specify with configure by ./configu=
re
--enable-clamav --with-clamav-defdir=3DDIR. You must have clamav and
clamav.h available we do not provide it in the patch.
Onto the preprocessor configuration options:
turn on clamav by going into snort_inline.conf
preprocessor clamav
This turns on the defaults for clamav which are to listen on ports 21 2=
5 80
81 110 119 139 445 143
uses the default database location of /var/lib/clamav unless another db=
dir
was specified at ./configure
Alerts are written to alert logs no packets are rejected or dropped.
options are
preprocessor clamav: ports {portlist separated by " "}, {flow can be
toclientonly or toserveronly or defaults to both} {action can be
action-drop or action-reset otherwise default to writing to alert
file},{dbdir}
so
preprocessor clamav: ports all !25 !443 !22, action-reset
will turn on clamav will listen for virus activity on all ports except =
25
443 22 and send a reset and drop the packet if a virus is detected.
preprocessor clamav: ports 139 445 21, toclientonly, action-drop, dbdir=
/var/lib2/clamav
will turn on clamav, will listen for virus activity on ports 129 445 21=
will only watch traffic that flows to the client, will drop the packet,=
sets the virus-sig database path to /var/lib2/clamav
Will try to put together some better documentation...... but either way=
here is the patch
depending on OS some may need to run the following command before runni=
ng
configure otherwise it will not configure properly.
libtoolize -f && aclocal && autoheader && automake && autoconf=
|
