Re: [Snort-inline-users] still clamAV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello, 
Here my configuration of snort_inline:  

var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

config checksum_mode: all 

var RULE_PATH rules

config layer2resets

preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000

preprocessor flow: stats_interval 0 hash 2

preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both

preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }

include /etc/snort/classification.config
include /etc/snort/reference.config

include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.
Here rules of iptables:  
iptables -A INPUT -j QUEUE
iptables -A OUTPUT -j QUEUE

and here how I start snort_inline But unfortunately I can always
download eicar.com

# snort_inline -D -c /etc/snort/snort_inline.conf -d -Q -i eth0 

But unfortunately I can always download eicar.com

On Mon, 7 Mar 2005 13:48:36 -0600, William Metcalf
<Wil...@kc...> wrote:
>  
> 
> You have to initialize clamav before http_inspect in your snort_inline.conf,
> also are you setup so that your return traffic is going to the QUEUE target?
>  
>  so something like
>  
>  iptables -A FORWARD -p tcp --sport 80 -j QUEUE
>  iptables -A FORWARD -p tcp --dport 80 -j QUEUE
>  
>  or 
>  
>  iptables -A INPUT --sport 80 -j QUEUE
>  iptables -A OUTPUT --dport 80 -j QUEUE
>  
>  or you can make use of the RELATED,ESTABLISHED keywords.
>  
>  Regards,
>  
>  Will
>  Mohamed Berzig <mb...@gm...>
>  
>  
>  
>  
>  
>  
>  
> Mohamed Berzig <mb...@gm...> 
>  Sent by: sno...@li... 
> 
> 03/07/2005 01:17 PM 
> Please respond to
>  Mohamed Berzig <mb...@gm...> 
> 
>  
> To
>  sno...@li... 
> 
>  
> cc
>  
> 
>  
> Subject
>  [Snort-inline-users] still clamAV 
>  
>  
> I have to compile snort_inline with the support of clamav and I have
>  to configure snort_inline.conf as to indicate in the comments but when
>  I try to download eicar.com snort_inline detecte no virus.  I do not
>  know if I have to forget something but I have remakes test them
>  several times.  Greetings.
>  
>  
>  -------------------------------------------------------
>  SF email is sponsored by - The IT Product Guide
>  Read honest & candid reviews on hundreds of IT Products from real users.
>  Discover which products truly live up to the hype. Start reading now.
>  http://ads.osdn.com/?ad_id6595&alloc_id=14396&op=click
>  _______________________________________________
>  Snort-inline-users mailing list
>  Sno...@li...
>  https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  
>  
> 
>