Re: [Snort-inline-users] Tips for integrating with Squid?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

As long as you are forcing HAVP to be your upstream proxy you should get
back a "page has been blocked because of virus xyz" message......  Make sure
you have ALL of the lines listed on the FAQ page...

acl all src 0.0.0.0/0.0.0.0
cache_peer 127.0.0.1 parent 8000 0 no-query no-digest no-netdb-exchange
default
cache_peer_access 127.0.0.1 allow all
acl Scan_HTTP proto HTTP
never_direct allow Scan_HTTP

Regards,

Will

On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote:
>
> I have done this and it works great, in that malicious content does not
> make it into the squid cache.  Its pretty fast and uses both clamav and
> snort sigs, so I'm covered for virus, malware, phishing and web client
> exploits.  Once content is validated it sits in the squid cache for fast
> retrieval.
>
> The only problem is that the page just hangs in the browser until it
> times out.  I've been trying to figure out a way to hijack the session
> and redirect it to a page that would alert the reader to the malicious
> content and block the offending site for some period of time.
>
> My initial opinion was that the bait'n'switch code could be turned on
> its ear and proxy the source of the attack, rather than the destination.
>   However, in retrospect this seems clunky and would not work with the
> clamav preprocessor (I don't think).
>
> My current thinking is either to punt the whole thing and just use HAVP,
> or setup a named pipe to write snort alerts to and create some sort of
> daemon to create IP tables rules based on alerts piped to it.
>
> -Cooper
>
>
> Will Metcalf wrote:
> > why not just your traffic through squid and snort_inline?
> >
> > On 3/6/07, *Cooper F. Nelson* <cn...@uc...
> > <mailto:cn...@uc...>> wrote:
> >
> >     I did not know about it!  Thanks for the tip, I will look into it.
> >
> >     I've also seen the squidclamav product, http://www.samse.fr/GPL/
> >     , which I was not able to get to work.
> >
> >     I was able to get the snort-inline based solution working pretty
> easily
> >     and blocking on virus, phishing and web client exploits; however the
> >     bad
> >     packet is just dropped.  No way currently to alert the user of
> malicious
> >     content.
> >
> >     My problem with both of these projects is that they are basically AV
> >     based, where I want AV + web client exploits.  Maybe the right thing
> to
> >     do is write a parser that can read snort rules and generate clamav
> sigs
> >     from them.
> >
> >     I guess I could also create a daemon to read the snort logs or
> database
> >     and creates IP tables based rule on that.
> >
> >     -Cooper
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACS/Network Operations
> cn...@uc... x41042
>