Menu
▾
▴
Re: [Snort-inline-users] Fwd: Clamav
|
From: <per...@gm...> - 2006-11-04 22:02:30
|
I just compiled snort_inline with --enable-debug, exported SNORT_DEBUG
but...
where do i get the debug log?
snort_inline just works the same (dropping all), and i got no logs in
/var/log or /var/log/snort_inline.
by the way, created /tmp/snort_inline for clamav, set mode 777 and still
nothing.
here is the initialization info:
export SNORT_DEBUG=3D67108864
[root@camel log]# snort_inline -c /etc/snort_inline/snort_inline.conf -Q -=
N
-l /var/log/snort_inline -v
Reading from iptables
Running in IDS mode
Initializing Inline mode
--=3D=3D Initializing Snort =3D=3D--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
default iptcmd is /sbin/iptables
default iptsave is /sbin/iptables-save >
/var/log/snort_inline/iptables-rules
default iptrestore is /sbin/iptables-restore <
/var/log/snort_inline/iptables-rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
truncating mode enabled
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 3600 seconds
Session memory cap: 134217728 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: ACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): Yes
Sliding Windowsize (window_size): 4096 (max full conn: 32768)
Memcap reached method (truncate): Truncate
Truncate percentage (truncate_percentage): 33
DROP out-of-window packets (drop_out_of_window): No
DROP data on unestablised session state (drop_data_on_unest): No
DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No
DROP packet not within session limits (drop_not_in_limits): No
DROP ttl evasion (drop_ttl_evasion): No
Store/Load state from/to disk: No
WARNING /etc/snort_inline/snort_inline.conf(306) =3D> flush_behavior set in
config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
ClamAV config:
Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Virus found action: DROP
Virus definitions dir: '/var/clamav'
Virus DB reload time: '600'
Scan only traffic to the client
Directory for tempfiles (file descriptor mode): '/tmp/snort_inline'
LibClamAV Warning: ********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
4601 Snort rules read...
4601 Option Chains linked into 239 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but
not ever checked.
Warning: flowbits key 'trojan' is set but not ever checked.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'ssh.brute.attempt' is set but not ever checked.
InitInline stage 2: InitInlinePostConfig starting...
+-----------------------[thresholding-config]------------------------------=
----
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]------------------------------=
----
| none
+-----------------------[thresholding-local]-------------------------------=
----
| gen-id=3D1 sig-id=3D2002994 type=3DBoth tracking=3Dsrc count=
=3D20
seconds=3D120
| gen-id=3D1 sig-id=3D2002801 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2003068 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D120
| gen-id=3D1 sig-id=3D2001034 type=3DLimit tracking=3Dsrc count=
=3D2
seconds=3D360
| gen-id=3D1 sig-id=3D2000048 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2002878 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2001796 type=3DThreshold tracking=3Dsrc count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2400001 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2002758 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D120
| gen-id=3D1 sig-id=3D2001858 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2001906 type=3DBoth tracking=3Dsrc count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2410002 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D5323 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2002992 type=3DBoth tracking=3Dsrc count=
=3D20
seconds=3D120
| gen-id=3D1 sig-id=3D2002761 type=3DBoth tracking=3Dsrc count=
=3D5
seconds=3D3600
| gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2001713 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D30
| gen-id=3D1 sig-id=3D2001043 type=3DLimit tracking=3Dsrc count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2002911 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2001872 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D5322 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2000340 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D600
| gen-id=3D1 sig-id=3D2400000 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001569 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2001219 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D120
| gen-id=3D1 sig-id=3D2001904 type=3DBoth tracking=3Dsrc count=
=3D30
seconds=3D60
| gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count=
=3D10
seconds=3D10
| gen-id=3D1 sig-id=3D2000031 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2410003 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D5321 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2001267 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2400003 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001873 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2001846 type=3DThreshold tracking=3Ddst count=
=3D30
seconds=3D300
| gen-id=3D1 sig-id=3D2001583 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2002664 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2410001 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2410004 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001841 type=3DThreshold tracking=3Dsrc count=
=3D40
seconds=3D300
| gen-id=3D1 sig-id=3D2002973 type=3DBoth tracking=3Dsrc count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2001855 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2002402 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2402000 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001235 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001972 type=3DBoth tracking=3Dsrc count=
=3D20
seconds=3D360
| gen-id=3D1 sig-id=3D2002364 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001580 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2000005 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D120
| gen-id=3D1 sig-id=3D2001809 type=3DThreshold tracking=3Dsrc count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2001663 type=3DLimit tracking=3Dsrc count=
=3D2
seconds=3D360
| gen-id=3D1 sig-id=3D2400004 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2002760 type=3DBoth tracking=3Dsrc count=
=3D10
seconds=3D600
| gen-id=3D1 sig-id=3D2002993 type=3DBoth tracking=3Dsrc count=
=3D20
seconds=3D120
| gen-id=3D1 sig-id=3D2002749 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2002732 type=3DThreshold tracking=3Dsrc count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2002180 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2001712 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2002383 type=3DThreshold tracking=3Ddst count=
=3D5
seconds=3D120
| gen-id=3D1 sig-id=3D2000049 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D60
| gen-id=3D1 sig-id=3D2002995 type=3DBoth tracking=3Dsrc count=
=3D20
seconds=3D120
| gen-id=3D1 sig-id=3D2001315 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2002400 type=3DLimit tracking=3Dsrc count=
=3D2
seconds=3D360
| gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2002742 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D120
| gen-id=3D1 sig-id=3D2001795 type=3DLimit tracking=3Dsrc count=
=3D30
seconds=3D60
| gen-id=3D1 sig-id=3D2400002 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2410000 type=3DLimit tracking=3Ddst count=
=3D1
seconds=3D3600
| gen-id=3D1 sig-id=3D2001316 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2002842 type=3DBoth tracking=3Dsrc count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2001582 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2002910 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2001579 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2002750 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2001553 type=3DThreshold tracking=3Dsrc count=
=3D100
seconds=3D60
| gen-id=3D1 sig-id=3D2001581 type=3DBoth tracking=3Dsrc count=
=3D70
seconds=3D60
| gen-id=3D1 sig-id=3D2002751 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
| gen-id=3D1 sig-id=3D2000929 type=3DLimit tracking=3Dsrc count=
=3D1
seconds=3D360
+-----------------------[suppression]--------------------------------------=
----
| none
---------------------------------------------------------------------------=
----
Rule application order:
->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectds=
t->alert->pass->log
Log directory =3D /var/log/snort_inline
--=3D=3D Initialization Complete =3D=3D--
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.4.5 (Build 29)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.htm=
l
(C) Copyright 1998-2005 Sourcefire Inc., et al.
Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness=
,
Dave Remien, Rob McMillen and Jed Haile
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.
On 11/4/06, Francisco Mu=F1oz <per...@gm...> wrote:
>
>
> ---------- Forwarded message ----------
> From: Victor Julien <vi...@nk...>
> Date: Nov 4, 2006 4:59 PM
> Subject: Re: [Snort-inline-users] Fwd: Clamav
> To: Francisco Mu=F1oz <per...@gm...>
> Cc: sno...@li...
>
> >
> >
> > I'll not be running snort_inline chrooted again. I thought it'd
> > improve performance.
> >
> So without the -t option it still doesn't work?
>
> No, doesn't work, still drops all packets.
>
> Can you add and remove files from /clamscan manually? Have you tried
> supplying a ordinary directory to the clamav preprocessor?
>
> I can add and remove files manually as an ordinary user to /clamscan
>
> I don't know how to supply a ordinary directory to the clamav
> preprocessor.
>
> If that all doesn't work you can compile snort_inline in debug mode. You
> do that by adding --enable-debug to ./configure.
>
> Then, when you have rebuild snort_inline, you can run it like this:
> export SNORT_DEBUG=3D67108864
> snort_inline <all your normal args>
>
> This will hopefully give some interesting output :-)
>
> Ok, i'll do it and post my findings.
>
>
> Regards,
> Victor
>
> Thanks a lot.
>
> --
> Regards,
> Francisco
--=20
Saludos,
Francisco
|
