Menu
▾
▴
[Snort-inline-users] stream4 reassembly and clamav
|
From: Roman G. <sl...@sl...> - 2007-04-14 19:46:00
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo,
i have a feeling that streamreassembly is not working for clamav.
All the time i look at the /tmp where snort_inline puts
filedescriptors for the clamav test, they are 1452 bytes big.
If i understand it correctly clamav should get ueberpackets from
stream4 and steam_reassembly but it seems not to be the case.
Here is my config:
sed -r '/^#|^$/{d}' snort_inline.conf
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
config checksum_mode: all
var RULE_PATH rules
config detection: search-method ac
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, memcap 134217728,
max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
disable_norm_wscale,enforce_state,timeout 3600
preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
4096, flush_behavior random
preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
output alert_fast: snort_inline-fast
include classification.config
include reference.config
include enabled.rules
and here is the output from starting snort_inline:
snort_inline -Q -H 1 -c snort_inline.conf
Reading from iptables
Running in IDS mode
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value =
127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'HONEYNET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 5 chars, value = rules
Detection:
Search-Method = AC-Full
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 3600 seconds
Session memory cap: 134217728 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: ACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): Yes
Scan mode? (scan_stream_only): Both packet and stream
Sliding Windowsize (window_size): 3000
Memcap reached method (truncate): Prune
Truncate percentage (truncate_percentage): 33
Store/Load state from/to disk: No
Max out-of-order packets in a stream (max_ooo_pkts): 10
Max out-of-order bytes in a stream (max_ooo_bytes): 200
Max sequence holes in a stream (max_seq_holes): 100
Normalize wscale max (norm_wscale_max): 2
Perform window scale normaliztion: No
Disable out-of-order packet drop: No
Disable out-of-order packet drop: No
Disable sequence hole packet drop: No
Max sequence holes in a stream (max_seq_holes): 100
Disable wscale normalization alerts
(disable_norm_wscale_alerts): No
Disable out-of-order alerts (disable_ooo_alerts): No
Drop bad RST packets? (drop_bad_rst): No
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: ACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: random
Flush base: 4096
Flush seed: 1176608780
Flush range: 1213
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
513 1433 1521 3306
ClamAV config:
Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Virus found action: ALERT
Virus definitions dir: '/usr/share/clamav'
Virus DB reload time: '43200'
Scan only traffic to the client
Directory for tempfiles (file descriptor mode): '/tmp'
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2742 Snort rules read...
2742 Option Chains linked into 181 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
InitInline stage 2: InitInlinePostConfig starting...
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=6364 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6254 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6494 type=Limit tracking=src
count=1 seconds=1200
| gen-id=1 sig-id=2001043 type=Limit tracking=src
count=10 seconds=60
| gen-id=1 sig-id=2003268 type=Both tracking=src
count=1 seconds=900
| gen-id=1 sig-id=7570 type=Limit tracking=src
count=1 seconds=300
...
| gen-id=1 sig-id=6200 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6477 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=5802 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=7050 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6496 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=2002732 type=Threshold tracking=src
count=10 seconds=60
| gen-id=1 sig-id=5765 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=2003266 type=Both tracking=src
count=1 seconds=900
+-----------------------[suppression]------------------------------------------
| none
-
-------------------------------------------------------------------------------
Rule application order:
-
->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
Log directory = /var/log/snort
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Verifying Preprocessor Configurations!
Warning: flowbits key 'tagged' is set but not ever checked.
Warning: flowbits key 'community_uri.size.1050' is set but not ever
checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'trojan' is set but not ever checked.
80 out of 512 flowbits in use.
Setting the Packet Processor to decode packets from iptables
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 225975
| Num Transitions : 11746889
| State Density : 20.3%
| Finite Automatum : DFA
| Memory : 163.07Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.6.1.2 (Build 34) inline
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
Snort_Inline Mod by William Metcalf, Victor Julien, Nick
Rogness,
Dave Remien, Rob McMillen and Jed Haile
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
<Build 11>
Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
Preprocessor Object: SF_DNS Version 1.0 <Build 1>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
Not Using PCAP_FRAMES
by the way why is the thresholding activated ?
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
what is it for and how to deactivate it ?
i am using snort_inline 2.6.1.2BETA1
config flags :
./configure --enable-nfnetlink
- --with-libipq-includes=/usr/local/include/ --enable-clamav
ideas why is stream4 not reasembling packets for clamav ?
with regards
Roman Gebov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
sOqXi9TfpEQ=
=duR+
-----END PGP SIGNATURE-----
|
