[Snort-inline-users] Snort_inline and ClamAV

[Mohamed B. <mb...@gm...>]

small problem:  I can always download viruses via HTTP whereas I have
to configure the "preprocessor clamav" well, somebody has an idea on
my problem?
Here my configuration of snort_inline:  

var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

config checksum_mode: none

var RULE_PATH rules

config layer2resets

preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000

preprocessor flow: stats_interval 0 hash 2


preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both

preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }

include /etc/snort/classification.config
include /etc/snort/reference.config

include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.


Here my configuration of iptables:

iptables -A INPUT -p tcp --sport 80 -j QUEUE
iptables -A OUTPUT -p tcp --dport 80 -j QUEUE