Menu
▾
▴
[Snort-inline-users] Clamav
|
From: <per...@gm...> - 2006-11-04 20:05:56
|
Greetings.
I'm using snort_inline for several months and want to use the clamav
preprocessor, but i have no luck.
iptables is properly configured to use the QUEUE target and snort_inline is
able to process traffic bidirectionally.
(by the way, i'm using vuurmuur 0.5.71 to generate my iptables rules. Kudos
to Victor Julien)
snort_inline 2.4.5a, compiled with ./configure --enable-clamav
--with-clamav-includes=/usr/include --with-clamav-defdir=/var/clamav
libnet 1.0.2a
libdnet 1.11-1.2
iptables 1.3.1
kernel 2.6.12 on CentOS 4.4
libclamav 0.88
Actually i'm using the bleeding edge rules with full success. All suspicious
traffic is dropped and logged:
BLEEDING-EDGE P2P Gnutella Connect [**] [Classification: Potential Corporate
Privacy Violation] [Priority: 1] {TCP} 192.168.1.31:2973 ->
66.169.16.160:51793
11/04-15:22:36.587473 [**] [1:2001855:16] BLEEDING-EDGE MALWARE Fun Web
Products Spyware User Agent (1) [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} 192.168.1.31:2976 -> 200.69.229.81:80
11/04-15:22:39.769548 [**] [1:2001664:3] BLEEDING-EDGE P2P Gnutella Connect
[**] [Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 192.168.1.31:2979 -> 87.4.226.253:52799
I did use a tmpfs directory and set permissions to 0755 on that.
sometimes i let file-descriptor-dir unconfigured so snort_inline uses /tmp
but no luck anyway.
When i uncomment the "preprocessor clamav" line, all traffic is dropped.
this is my snort_inline.conf.
### Network variables
var HOME_NET 192.168.1.0/24
# var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
config checksum_mode: all
var RULE_PATH /etc/snort_inline/rules
# config layer2resets: 00:04:75:A0:40:5E
# config flowbits recommendation
config flowbits_size: 256
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav
3000
preprocessor stickydrop-ignorehosts: 192.168.1.0/24
preprocessor bait-and-switch: max_entries 200,log,insert_before
preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, \
enforce_state, memcap 134217728, timeout 3600, \
truncate, window_size 4096
preprocessor stream4_reassemble
#preprocessor clamav: toclientonly, ports all !22 !443, action-drop,
descriptor-temp-dir /clamscan, dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
output alert_fast: snort_inline-fast
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
# bleeding
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding.rules
i'm running snort_inline (for test purposes only) this way: snort_inline -c
/etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline -t
/var/log/snort_inline -v
TIA
--
Francisco
|
