Re: [Snort-inline-users] Snort_inline and ClamAV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Please remove my name from your list.

ale...@ya...

Thanks,

Alex

--- Mohamed Berzig <mb...@gm...> wrote:
> small problem:  I can always download viruses via
> HTTP whereas I have
> to configure the "preprocessor clamav" well,
> somebody has an idea on
> my problem?
> Here my configuration of snort_inline:  
> 
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> 
> var HTTP_PORTS 80
> 
> var SHELLCODE_PORTS !80
> 
> var ORACLE_PORTS 1521
> 
> config checksum_mode: none
> 
> var RULE_PATH rules
> 
> config layer2resets
> 
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000,
> portscan2 3000, clamav 3000
> 
> preprocessor flow: stats_interval 0 hash 2
> 
> 
> preprocessor stream4: disable_evasion_alerts,
> stream4inline,
> enforce_state, memcap 134217728, timeout 3600
> preprocessor stream4_reassemble: both
> 
> preprocessor clamav: ports all !22 !443,
> action-drop, dbdir
> /usr/share/clamav, dbreload-time 43200
> 
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
> 
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 }
> oversize_dir_length 500
> 
> preprocessor rpc_decode: 111 32771
> 
> preprocessor bo
> preprocessor telnet_decode
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low }
> 
> include /etc/snort/classification.config
> include /etc/snort/reference.config
> 
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> .
> .
> .
> 
> 
> Here my configuration of iptables:
> 
> iptables -A INPUT -p tcp --sport 80 -j QUEUE
> iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 