Re: [Snort-inline-users] Snort-inline show only outbound traffic on tty and no clamav-action

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
iptablesestmart, forceipstate

should be=20

preprocessor stream4: disable_evasion_alerts,iptablesnewmark
,iptablesestmark ,forceiptstate

$IPTABLES -A FORWARD -p tcp --dport 8080 -m state --state NEW -j QUEUE
$IPTABLES -A FORWARD -p tcp --sport 8080 -m state --state ESTABLISHED -j QU=
EUE

should be something like

$IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW
--dport 8080 -j MARK --set-mark 1

$IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED
--sport 8080 -j MARK --set-mark 2

$IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE
$IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE

clamav is not detected over http due to a change in the clamav sig for
eicar.  The new sig only looks for the eicar string within the first
couple bytes of the fd buffer whatever.  Once you add all of the http
header stuff the string is no longer contained witihin the first
couple bytes.

Regards,

Will

On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
> Hello,
>=20
> I played around with my Snort-inline on the Firewall
> on a debian sarge 3.1
>=20
> I started it with:
>=20
> ./snort-inline -Qvc /opt/snort-inline/etc/snort-inline/snort_inline.conf
>=20
> Here my snort-inline.conf:
> Only some lines chaned
> http://www.ganeymed.de/pixx/fw_ids/snort-inline-conf.htm
>=20
> We got proxy-force here so all http go over our httpproxy.
> I tryed to give all that traffic to snort-inline.
> Here is my Firewallscript (i marked the snortspecific part red):
> http://www.ganeymed.de/pixx/fw_ids/snorttest_sh.htm
>=20
> Then i Started snort in adition 2&>/tmp/test send it all to a testfile:
> http://www.ganeymed.de/pixx/fw_ids/test_aus_temp.htm
>=20
> The startup-looks good to me, but
> on the bottom, you can see a connection of MY_IP to the Proxy.
> But no traffic that come back. But all work. I can visit websides
> from behind the firewall.
>=20
> Also - how can i test snort inline.
> I tryed eicar.com - but notching was blocked.
>=20
> How can i test, if clamav work together with snort-inline?
>=20
> Thank you
> Best regards
> Holger Moskopp
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>