Menu
▾
▴
Re: [Snort-inline-users] Tips for integrating with Squid?
|
From: Cooper F. N. <cn...@uc...> - 2007-03-07 00:36:10
|
I have done this and it works great, in that malicious content does not make it into the squid cache. Its pretty fast and uses both clamav and snort sigs, so I'm covered for virus, malware, phishing and web client exploits. Once content is validated it sits in the squid cache for fast retrieval. The only problem is that the page just hangs in the browser until it times out. I've been trying to figure out a way to hijack the session and redirect it to a page that would alert the reader to the malicious content and block the offending site for some period of time. My initial opinion was that the bait'n'switch code could be turned on its ear and proxy the source of the attack, rather than the destination. However, in retrospect this seems clunky and would not work with the clamav preprocessor (I don't think). My current thinking is either to punt the whole thing and just use HAVP, or setup a named pipe to write snort alerts to and create some sort of daemon to create IP tables rules based on alerts piped to it. -Cooper Will Metcalf wrote: > why not just your traffic through squid and snort_inline? > > On 3/6/07, *Cooper F. Nelson* <cn...@uc... > <mailto:cn...@uc...>> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the > bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
