[Snort-inline-users] snort inline 2.20rc1 clamav does not work

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

im running snort-inline 2.20rc1 on a debian unstable box,
box is uptodate

i installed clamav from apt
dpkg -l | grep clam
ii  clamav         0.75.1-4       Antivirus scanner for Unix
ii  clamav-base    0.75.1-4       Base package for clamav, an anti-virus utili
ii  clamav-freshcl 0.75.1-4       Downloads clamav virus databases from the In
ii  libclamav1     0.75.1-4       Virus scanner library
ii  libclamav1-dev 0.75.1-4       Clam Antivirus library development files

and ran
./configure --prefix=/opt/snort-inline/
--with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats
--enable-flexresp --enable-inline --enable-clamav

everything went fine

i setup the config, etc etc etc
and wanted to use clamav

preprocessor stream4_reassemble: both, ports default
preprocessor clamav: ports all, action-reset

i mark packets 
via

iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport
80 -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED
--sport 80 -j MARK --set-mark 2

iptables -A OUTPUT -m mark --mark 1 -j QUEUE
iptables -A INTPUT -m mark --mark 2 -j QUEUE

now i download a malicious file i scratched from my mothers harddisk

clamscan bad.exe
bad.exe: Exploit.DCOM.Gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 23865
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.31 MB
I/O buffer size: 131072 bytes
Time: 0.943 sec (0 m 0 s)

i download it via http and expect something to happen
nothing happens, the file just gets down

i tried wget and mozila

i start snort-inline
./snort_inline  -Qvdc ../etc/snort-inline/snort_inline.conf

i can see
....
ClamAV config:
    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
    Virus found action: RESET
    Virus definitions dir: '/var/lib/clamav/'
....

and i can see the stream
and the file is in the stream
...........
00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00  ........NB10....
9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D  ...@6...C:\Docum
65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C  s\Alja.\Desktop\
50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63  Prenosi\MeTaL-Sc
52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C  RiPt\rxb077Sass\
72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73  rxBot v0.7.7 Sas
73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62  s\Debug\rBot.pdb
00 
.............

i tried some other malicious files, nothing ever happend ...
to check my config i enabled the chat rules, joined a irc network, and
this event got logged.

im really helpless, would be great if someone could give me a hint.

Markus