Menu
▾
▴
Re: [Snort-inline-users] correcting snort_inline blocking ?
|
From: Victor J. <vi...@nk...> - 2005-01-19 10:15:01
|
Hi Thanasin, Can you show the line from your snort_inline.conf that starts with: preprocessor clamav:? If the virus is alerted but not stopped it might be that it is detected in the reassembled stream. In that case snort_inline 2.2 will not be able to stop it. Snort_inline 2.3 will be able to do that, however it's not released yet (expect a beta release in a few weeks (note that snort 2.3 won't have this functionality, only inline :-)). Regards, Victor tha...@gb... wrote: > i set iptables like this > > # > # Start IPTables Queue : > # > > echo "Start IPTables Queue Mode ..." > /sbin/modprobe ip_queue > /sbin/iptables -F > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > /sbin/iptables -A INPUT -i eth0 -j ACCEPT > /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT > /sbin/iptables -A INPUT -i eth1 -j ACCEPT > /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT > /sbin/iptables -A INPUT -j QUEUE > /sbin/iptables -A OUTPUT -j QUEUE > #/sbin/iptables -A FORWARD -j QUEUE > /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j > MARK --set-mark 1 > /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state > RELATED,ESTABLISHED -j MARK --set-mark 2 > /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE > /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE > > do i have to enable /sbin/iptables -A FORWARD -j QUEUE > > because Will told me like this from > https://sourceforge.net/mailarchive/message.php?msg_id=10422612 > > -- snip -- > > iptables rules...... > > iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j > MARK --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -m state --state > RELATED,ESTABLISHED -j MARK --set-mark 2 > iptables -I FORWARD -m mark --mark 1 -j QUEUE > iptables -I FORWARD -m mark --mark 2 -j QUEUE > > tell stream4 about state tracking via snort.conf iptablesnewmark > defaults to 1, iptablesestmark defaults to 2........... > > preprocessor stream4: disable_evasion_alerts, iptablesnewmark, > iptablesestmark, forceiptstate > > Regards, > > Will > > -- snip -- > > is there any files relate else ? > > sorry for my english. > > Regards, > Thanasin > > > >> >>>my snort_inline box is working by capture every anomally traffic ex. >>>virus, exploit ... etc. >>> >>>but when i was try to download virus from outside, it alert only but not >>>block that virus. so where should i check or have a look in order to let >>>my snort_inline box block all virus traffics ? >>> >>>Regards, >>>Thanasin >>> >>> >>> >>>------------------------------------------------------- >>>The SF.Net email is sponsored by: Beat the post-holiday blues >>>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. >>>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt >>>_______________________________________________ >>>Snort-inline-users mailing list >>>Sno...@li... >>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> >> >> >> > > > > > ------------------------------------------------------- > The SF.Net email is sponsored by: Beat the post-holiday blues > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. > It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
