Re: [Snort-inline-users] Snort-inline show only outbound traffic on tty and no clamav-action

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thank you for your answer, I testet it today without mysql - only with 
2$>/tmp/test
That work- i think  - i can see now the "backcomming" traffic now.
But i can´t see snort_inline anything doing.
There is nothing in the logfiles.
snort_inilne _full or fast are empty

But how can i test if Snort-inline and clamAV is doing anything?

Ist there another possiblity to test that?

Thank you
Best regards
Holger

Will Metcalf schrieb:

>preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
>iptablesestmart, forceipstate
>
>should be 
>
>preprocessor stream4: disable_evasion_alerts,iptablesnewmark
>,iptablesestmark ,forceiptstate
>
>$IPTABLES -A FORWARD -p tcp --dport 8080 -m state --state NEW -j QUEUE
>$IPTABLES -A FORWARD -p tcp --sport 8080 -m state --state ESTABLISHED -j QUEUE
>
>should be something like
>
>$IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW
>--dport 8080 -j MARK --set-mark 1
>
>$IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED
>--sport 8080 -j MARK --set-mark 2
>
>$IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE
>$IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE
>
>clamav is not detected over http due to a change in the clamav sig for
>eicar.  The new sig only looks for the eicar string within the first
>couple bytes of the fd buffer whatever.  Once you add all of the http
>header stuff the string is no longer contained witihin the first
>couple bytes.
>
>Regards,
>
>Will
>
>
>
>
>
>
>On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>>Hello,
>>
>>I played around with my Snort-inline on the Firewall
>>on a debian sarge 3.1
>>
>>I started it with:
>>
>>./snort-inline -Qvc /opt/snort-inline/etc/snort-inline/snort_inline.conf
>>
>>Here my snort-inline.conf:
>>Only some lines chaned
>>http://www.ganeymed.de/pixx/fw_ids/snort-inline-conf.htm
>>
>>We got proxy-force here so all http go over our httpproxy.
>>I tryed to give all that traffic to snort-inline.
>>Here is my Firewallscript (i marked the snortspecific part red):
>>http://www.ganeymed.de/pixx/fw_ids/snorttest_sh.htm
>>
>>Then i Started snort in adition 2&>/tmp/test send it all to a testfile:
>>http://www.ganeymed.de/pixx/fw_ids/test_aus_temp.htm
>>
>>The startup-looks good to me, but
>>on the bottom, you can see a connection of MY_IP to the Proxy.
>>But no traffic that come back. But all work. I can visit websides
>>from behind the firewall.
>>
>>Also - how can i test snort inline.
>>I tryed eicar.com - but notching was blocked.
>>
>>How can i test, if clamav work together with snort-inline?
>>
>>Thank you
>>Best regards
>>Holger Moskopp
>>
>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>    
>>
>
>  
>