Menu
▾
▴
Re: [Snort-inline-users] Tips for integrating with Squid?
|
From: Will M. <wil...@gm...> - 2007-03-06 22:25:05
|
why not just your traffic through squid and snort_inline? On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > > > Will Metcalf wrote: > > Why would you not use and or extend HAVP? > > > > http://www.server-side.de/ > > > > On 3/2/07, *Cooper F. Nelson* < cn...@uc... > > <mailto:cn...@uc...>> wrote: > > > > Hi, > > > > I'm currently evaluating the possibility of using snort-inline as a > > malware/phishing filter on an existing squid cache. > > > > I would appreciate some feedback/suggestions on a few issues. > > > > Performance is critical. Does --enable-nfnetlink help in this > regard? > > Are there any other suggestions to optimize deployment, other than > > simply enabling only the rules/preprocessors appropriate for web > > traffic? > > > > As a feature request, would it be possible to add an iptables client > > re-direct to the clamav preprocessor and rule syntax? I would like > to > > implement something like SquidClamAV project where users are > presented > > with a page detailing that the site is blocked and why. > > > > -- > > Cooper Nelson > > Network Security Analyst > > UCSD ACS/Network Operations > > cn...@uc... <mailto:cn...@uc...> x41042 > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net 's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > |
