Re: [Snort-inline-users] Fwd: Clamav

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks for all the help.

On screen the dump is just the same. (as without debug). This is 10 seconds
(approx.) of snort_inline output:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.663780 192.168.1.22:39681 -> 201.209.205.194:44456
UDP TTL:127 TOS:0x0 ID:60827 IpLen:20 DgmLen:45
Len: 17
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.752568 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7305 IpLen:20 DgmLen:536
Len: 508
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.765346 192.168.1.22:39681 -> 201.209.205.194:44456
UDP TTL:127 TOS:0x0 ID:60828 IpLen:20 DgmLen:45
Len: 17
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.775428 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7306 IpLen:20 DgmLen:195
Len: 167
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.816135 192.168.1.22:39681 -> 201.209.205.194:44456
UDP TTL:127 TOS:0x0 ID:60829 IpLen:20 DgmLen:45
Len: 17
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.875033 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7309 IpLen:20 DgmLen:536
Len: 508
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.905730 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7310 IpLen:20 DgmLen:102
Len: 74
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.944983 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7312 IpLen:20 DgmLen:536
Len: 508
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:45.966097 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7313 IpLen:20 DgmLen:50
Len: 22
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:46.062997 192.168.1.26:1202 -> 64.4.36.39:1863
TCP TTL:127 TOS:0x0 ID:2042 IpLen:20 DgmLen:217 DF
***AP*** Seq: 0x65DFED9F  Ack: 0xC85378F4  Win: 0xFA71  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/04-18:13:46.230546 201.209.205.194:44456 -> 192.168.1.22:39681
UDP TTL:123 TOS:0x0 ID:7316 IpLen:20 DgmLen:536
Len: 508
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================

Snort processed 109 packets.
===============================================================================
Breakdown by protocol:
    TCP: 33         (30.275%)
    UDP: 76         (69.725%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
TCP Stream Reassembly Stats:
    TCP Packets Used: 33         (30.275%)
    Stream Trackers: 3
    Stream flushes: 0
    Segments used: 0
    Stream4 Memory Faults: 0
===============================================================================
Going to try to restore iptables rules /sbin/iptables-restore <
/var/log/snort_inline/iptables-rules
iptables rules restored ok now oink oink exit
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.195322)/blocks (20481/12)
Overhead blocks: 1 Could Hold: (28263)
IPV4 count: 11 frees: 0
low_time: 1162678422, high_time: 1162678426, diff: 0h:00:04s
    finds: 109 reversed: 26(%23.853211)
    find_sucess: 98 find_fail: 11
percent_success: (%89.908257) new_flows: 11
 Protocol: 6 (%30.275229)
   finds: 33
   reversed: 7(%21.212121)
   find_sucess: 23
   find_fail: 10
   percent_success: (%69.696970)
   new_flows: 10
 Protocol: 17 (%69.724771)
   finds: 76
   reversed: 19(%25.000000)
   find_sucess: 75
   find_fail: 1
   percent_success: (%98.684211)
   new_flows: 1
Snort exiting

-- 
Regards,
Francisco