Menu
▾
▴
Re: [Snort-inline-users] correcting snort_inline blocking ?
|
From: <tha...@gb...> - 2005-01-19 10:34:12
|
here is my preprocessor clamav preprocessor clamav: ports 21 25 80 81 110 119 139 445 143, toclientonly, action-drop, dbdir /usr/local/share/clamav is my config is ok ? so do you mean snort_inline 2.2 can only detect virus using clamav support but can't block them and snort_inline will have capability to block virus in nearly version ( snort_inline 2.3 ) right ? Regards, Thanasin > Hi Thanasin, > > Can you show the line from your snort_inline.conf that starts with: > preprocessor clamav:? > > If the virus is alerted but not stopped it might be that it is detected > in the reassembled stream. In that case snort_inline 2.2 will not be > able to stop it. Snort_inline 2.3 will be able to do that, however it's > not released yet (expect a beta release in a few weeks (note that snort > 2.3 won't have this functionality, only inline :-)). > > Regards, > Victor > > tha...@gb... wrote: >> i set iptables like this >> >> # >> # Start IPTables Queue : >> # >> >> echo "Start IPTables Queue Mode ..." >> /sbin/modprobe ip_queue >> /sbin/iptables -F >> /sbin/iptables -A INPUT -i lo -j ACCEPT >> /sbin/iptables -A OUTPUT -o lo -j ACCEPT >> /sbin/iptables -A INPUT -i eth0 -j ACCEPT >> /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT >> /sbin/iptables -A INPUT -i eth1 -j ACCEPT >> /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT >> /sbin/iptables -A INPUT -j QUEUE >> /sbin/iptables -A OUTPUT -j QUEUE >> #/sbin/iptables -A FORWARD -j QUEUE >> /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j >> MARK --set-mark 1 >> /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state >> RELATED,ESTABLISHED -j MARK --set-mark 2 >> /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE >> /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE >> >> do i have to enable /sbin/iptables -A FORWARD -j QUEUE >> >> because Will told me like this from >> https://sourceforge.net/mailarchive/message.php?msg_id=10422612 >> >> -- snip -- >> >> iptables rules...... >> >> iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j >> MARK --set-mark 1 >> iptables -t mangle -A FORWARD -p tcp -m state --state >> RELATED,ESTABLISHED -j MARK --set-mark 2 >> iptables -I FORWARD -m mark --mark 1 -j QUEUE >> iptables -I FORWARD -m mark --mark 2 -j QUEUE >> >> tell stream4 about state tracking via snort.conf iptablesnewmark >> defaults to 1, iptablesestmark defaults to 2........... >> >> preprocessor stream4: disable_evasion_alerts, iptablesnewmark, >> iptablesestmark, forceiptstate >> >> Regards, >> >> Will >> >> -- snip -- >> >> is there any files relate else ? >> >> sorry for my english. >> >> Regards, >> Thanasin >> >> >> >>> >>>>my snort_inline box is working by capture every anomally traffic ex. >>>>virus, exploit ... etc. >>>> >>>>but when i was try to download virus from outside, it alert only but >>>> not >>>>block that virus. so where should i check or have a look in order to >>>> let >>>>my snort_inline box block all virus traffics ? >>>> >>>>Regards, >>>>Thanasin >>>> >>>> >>>> >>>>------------------------------------------------------- >>>>The SF.Net email is sponsored by: Beat the post-holiday blues >>>>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. >>>>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt >>>>_______________________________________________ >>>>Snort-inline-users mailing list >>>>Sno...@li... >>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> >>> >>> >>> >> >> >> >> >> ------------------------------------------------------- >> The SF.Net email is sponsored by: Beat the post-holiday blues >> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. >> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > |
