Menu
▾
▴
Re: [Snort-inline-users] Fwd: Clamav
|
From: Victor J. <vi...@nk...> - 2006-11-04 22:28:44
|
Francisco Mu=F1oz wrote: > Thanks for all the help. > > On screen the dump is just the same. (as without debug). This is 10 > seconds (approx.) of snort_inline output: > > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > > 11/04-18:13:45.663780 192.168.1.22:39681 <http://192.168.1.22:39681> > -> 201.209.205.194:44456 <http://201.209.205.194:44456> > UDP TTL:127 TOS:0x0 ID:60827 IpLen:20 DgmLen:45 > Len: 17 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:45.752568 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7305 IpLen:20 DgmLen:536 > Len: 508 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:45.765346 192.168.1.22:39681 <http://192.168.1.22:39681> > -> 201.209.205.194:44456 <http://201.209.205.194:44456> > UDP TTL:127 TOS:0x0 ID:60828 IpLen:20 DgmLen:45 > Len: 17 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:45.775428 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7306 IpLen:20 DgmLen:195 > Len: 167 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > > 11/04-18:13:45.816135 192.168.1.22:39681 <http://192.168.1.22:39681> > -> 201.209.205.194:44456 <http://201.209.205.194:44456> > UDP TTL:127 TOS:0x0 ID:60829 IpLen:20 DgmLen:45 > Len: 17 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:45.875033 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7309 IpLen:20 DgmLen:536 > Len: 508 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:45.905730 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7310 IpLen:20 DgmLen:102 > Len: 74 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13: 45.944983 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7312 IpLen:20 DgmLen:536 > Len: 508 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > > 11/04-18:13:45.966097 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7313 IpLen:20 DgmLen:50 > Len: 22 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:46.062997 192.168.1.26:1202 <http://192.168.1.26:1202> -> > 64.4.36.39:1863 <http://64.4.36.39:1863> > TCP TTL:127 TOS:0x0 ID:2042 IpLen:20 DgmLen:217 DF > ***AP*** Seq: 0x65DFED9F Ack: 0xC85378F4 Win: 0xFA71 TcpLen: 20 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > > 11/04-18:13:46.230546 201.209.205.194:44456 > <http://201.209.205.194:44456> -> 192.168.1.22:39681 > <http://192.168.1.22:39681> > UDP TTL:123 TOS:0x0 ID:7316 IpLen:20 DgmLen:536 > Len: 508 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+ > I don't see any clamav output in there. Thats strange... ahh it looks as if the debugging is not yet enabled. Not only is clamav debugging missing, but also other snort debug info... In your source directory do: make clean ./configure --enable-debug <your other configure options, if any> make make install then rerun Snort_inline with: export SNORT_DEBUG=3D67108864 [root@camel log]# snort_inline -c /etc/snort_inline/snort_inline.conf -Q If there still is no per-packet clamav output, please check if the value of 67108864 is correct. To do this do from your source directory: $ grep CLAMAV src/debug.h #define DEBUG_CLAMAV 0x04000000 /* 67108864 */ That is the output I get. Maybe yours is different... Cheers! Victor |
