Menu
▾
▴
Re: [Snort-inline-users] Show what Snort-inline is able to do
|
From: Holger M. <gan...@mo...> - 2005-10-19 14:47:05
|
Hi, sorry for my late answer, but i was also busy with that SIP/RTP-stuff. I built an island-solution, so that nothing could happen with that viri. :( | Client |-----------| FW-With snortinline and clamav |--------| ftp-server | On the server i unziped the viri and tryed to fetch them via FTP to the client. But nothing happen on Clamav. I got the viri on the client. No logs in the mysql-database from snort-inline. I contolled if the viri in the clamav database. - They are. Then i fetched the Exploid.HTML.Mht to the Firewall and tested with clamscan if clamav is able to detect it. - It is! But in the teamwork with snort-inline nothing happen. Here are my FTP iptables rules: $IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE $IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE .... $IPTABLES -t mangle -A FORWARD -i $INTERN_ETH -o $EXTERN_ETH -p tcp --dport 20:21 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -i $EXTERN_ETH -o $INTERN_ETH -p tcp --sport 20:21 -m state --state ESTABLISHED -j MARK --set-mark 2 I can see on the Firewall that the packets are inspected by snort-inline - but nothing happen. Any ideas where the mistake is? Thank you. best regards Holger Will Metcalf schrieb: >Did you actually download unzip and try to move the extracted viri >through the inline box? Remember, we can't deal with zipped files and >all files on this site are zipped. We cannot unzip because we are >only scanning fragments of files. > >Regards, > >Will > >On 9/26/05, Holger Moskopp <gan...@mo...> wrote: > > >> Hi, >> >> i tested in the meantime a lot of virii from that page. >> But no one was alerted by ClamAV and Snort-inline. >> >> Could it be, that ClamAV isn`t correct installed? >> I got a Debian Sarge and installed it with apt-get install clamav. >> but there is only the viridataset and the freshclamavdeamon. >> Could it be that i need the deamon clamd? >> >> How could i find out, if clamav is correct installed for the use >> of Snort-inline? >> >> Many greetings >> Holger >> >> Cole schrieb: >> >>Hi. >> >>This website has a collection of virii. http://vx.netlux.org/ The problem is >>that clamav does not >>pickup a large amount of virii on the actual page, but it does pickup quite >>a lot. So try it out >>with that. >> >>/Cole >> >>-----Original Message----- >>From: sno...@li... >>[mailto:sno...@li...] On >>Behalf Of Holger Moskopp >>Sent: Wednesday, September 07, 2005 10:14 PM >>To: Victor Julien >>Cc: sno...@li... >>Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do >> >>Hmm? and where can i get a Virus for testing? >> >>Or is there a known webpage with a virus? >> >> >>Victor Julien schrieb: >> >> >> >> >> Will wrote that eicar changed their side. How can i test if ClamAV work? >> >> I think the easiest way would be to put a virus on an ftp-server and >>then try to download it through the snort_inline firewall. >> >>Good luck, >>Victor >> >> >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> >> >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
