Menu
▾
▴
Re: [Snort-inline-users] snort inline 2.20rc1 clamav does not work
|
From: Victor J. <vi...@nk...> - 2004-09-12 14:06:35
|
You also can try to put the clamav preprocessor directly after the stream4_reassemble preproc in your config. Detecting viruses didn't work for me if i didn't... Hope this helps, Victor On Sunday 12 September 2004 06:27, Will Metcalf wrote: > Just to test, try to download the eicar test file from eicar.com > > http://www.eicar.org/download/eicar.com > > Let me know what the results are. Sorry if it takes me a little while > to get back to you all this weekend. I'm swamped with work stuff. > > Regards, > > Will > > On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> wrote: > > Hi, > > > > im running snort-inline 2.20rc1 on a debian unstable box, > > box is uptodate > > > > i installed clamav from apt > > dpkg -l | grep clam > > ii clamav 0.75.1-4 Antivirus scanner for Unix > > ii clamav-base 0.75.1-4 Base package for clamav, an anti-virus > > utili ii clamav-freshcl 0.75.1-4 Downloads clamav virus databases > > from the In ii libclamav1 0.75.1-4 Virus scanner library > > ii libclamav1-dev 0.75.1-4 Clam Antivirus library development > > files > > > > and ran > > ./configure --prefix=/opt/snort-inline/ > > --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats > > --enable-flexresp --enable-inline --enable-clamav > > > > everything went fine > > > > i setup the config, etc etc etc > > and wanted to use clamav > > > > preprocessor stream4_reassemble: both, ports default > > preprocessor clamav: ports all, action-reset > > > > i mark packets > > via > > > > iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport > > 80 -j MARK --set-mark 1 > > iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED > > --sport 80 -j MARK --set-mark 2 > > > > iptables -A OUTPUT -m mark --mark 1 -j QUEUE > > iptables -A INTPUT -m mark --mark 2 -j QUEUE > > > > now i download a malicious file i scratched from my mothers harddisk > > > > clamscan bad.exe > > bad.exe: Exploit.DCOM.Gen FOUND > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 23865 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.31 MB > > I/O buffer size: 131072 bytes > > Time: 0.943 sec (0 m 0 s) > > > > i download it via http and expect something to happen > > nothing happens, the file just gets down > > > > i tried wget and mozila > > > > i start snort-inline > > ./snort_inline -Qvdc ../etc/snort-inline/snort_inline.conf > > > > i can see > > .... > > ClamAV config: > > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > > Virus found action: RESET > > Virus definitions dir: '/var/lib/clamav/' > > .... > > > > and i can see the stream > > and the file is in the stream > > ........... > > 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00 ........NB10.... > > 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D ...@6...C:\Docum > > 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting > > 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C s\Alja.\Desktop\ > > 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63 Prenosi\MeTaL-Sc > > 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C RiPt\rxb077Sass\ > > 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73 rxBot v0.7.7 Sas > > 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62 s\Debug\rBot.pdb > > 00 > > ............. > > > > i tried some other malicious files, nothing ever happend ... > > to check my config i enabled the chat rules, joined a irc network, and > > this event got logged. > > > > im really helpless, would be great if someone could give me a hint. > > > > Markus > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > > Project Admins to receive an Apple iPod Mini FREE for your judgement on > > who ports your project to Linux PPC the best. Sponsored by IBM. > > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
