Menu
▾
▴
Re: [Snort-inline-users] snort inline 2.20rc1 clamav does not work
|
From: Will M. <wil...@gm...> - 2004-09-12 04:27:35
|
Just to test, try to download the eicar test file from eicar.com http://www.eicar.org/download/eicar.com Let me know what the results are. Sorry if it takes me a little while to get back to you all this weekend. I'm swamped with work stuff. Regards, Will On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> wrote: > Hi, > > im running snort-inline 2.20rc1 on a debian unstable box, > box is uptodate > > i installed clamav from apt > dpkg -l | grep clam > ii clamav 0.75.1-4 Antivirus scanner for Unix > ii clamav-base 0.75.1-4 Base package for clamav, an anti-virus utili > ii clamav-freshcl 0.75.1-4 Downloads clamav virus databases from the In > ii libclamav1 0.75.1-4 Virus scanner library > ii libclamav1-dev 0.75.1-4 Clam Antivirus library development files > > and ran > ./configure --prefix=/opt/snort-inline/ > --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats > --enable-flexresp --enable-inline --enable-clamav > > everything went fine > > i setup the config, etc etc etc > and wanted to use clamav > > preprocessor stream4_reassemble: both, ports default > preprocessor clamav: ports all, action-reset > > i mark packets > via > > iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport > 80 -j MARK --set-mark 1 > iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED > --sport 80 -j MARK --set-mark 2 > > iptables -A OUTPUT -m mark --mark 1 -j QUEUE > iptables -A INTPUT -m mark --mark 2 -j QUEUE > > now i download a malicious file i scratched from my mothers harddisk > > clamscan bad.exe > bad.exe: Exploit.DCOM.Gen FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 23865 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.31 MB > I/O buffer size: 131072 bytes > Time: 0.943 sec (0 m 0 s) > > i download it via http and expect something to happen > nothing happens, the file just gets down > > i tried wget and mozila > > i start snort-inline > ./snort_inline -Qvdc ../etc/snort-inline/snort_inline.conf > > i can see > .... > ClamAV config: > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > Virus found action: RESET > Virus definitions dir: '/var/lib/clamav/' > .... > > and i can see the stream > and the file is in the stream > ........... > 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00 ........NB10.... > 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D ...@6...C:\Docum > 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting > 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C s\Alja.\Desktop\ > 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63 Prenosi\MeTaL-Sc > 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C RiPt\rxb077Sass\ > 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73 rxBot v0.7.7 Sas > 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62 s\Debug\rBot.pdb > 00 > ............. > > i tried some other malicious files, nothing ever happend ... > to check my config i enabled the chat rules, joined a irc network, and > this event got logged. > > im really helpless, would be great if someone could give me a hint. > > Markus > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
