Menu
▾
▴
Re: [Snort-inline-users] stream4 reassembly and clamav
|
From: Will M. <wil...@gm...> - 2007-04-16 01:46:31
|
enable stream4inline
On 4/14/07, Roman Glebov <sl...@sl...> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hallo,
> i have a feeling that streamreassembly is not working for clamav.
>
> All the time i look at the /tmp where snort_inline puts
> filedescriptors for the clamav test, they are 1452 bytes big.
>
> If i understand it correctly clamav should get ueberpackets from
> stream4 and steam_reassembly but it seems not to be the case.
>
>
> Here is my config:
>
> sed -r '/^#|^$/{d}' snort_inline.conf
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> config checksum_mode: all
> var RULE_PATH rules
> config detection: search-method ac
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, memcap 134217728,
> max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
> disable_norm_wscale,enforce_state,timeout 3600
> preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
> 4096, flush_behavior random
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> output alert_fast: snort_inline-fast
> include classification.config
> include reference.config
> include enabled.rules
>
>
> and here is the output from starting snort_inline:
>
> snort_inline -Q -H 1 -c snort_inline.conf
> Reading from iptables
> Running in IDS mode
> Initializing Inline mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
> Var 'lo_ADDRESS' defined, value len = 19 chars, value =
> 127.0.0.0/255.0.0.0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort_inline.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Var 'HOME_NET' defined, value len = 3 chars, value = any
> Var 'HONEYNET' defined, value len = 3 chars, value = any
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Var 'RULE_PATH' defined, value len = 5 chars, value = rules
> Detection:
> Search-Method = AC-Full
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4099
> | Overhead Bytes: 16400(%0.16)
> `----------------------------------------------
> stream4inline mode enabled
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 3600 seconds
> Session memory cap: 134217728 bytes
> Session count max: 8192 sessions
> Session cleanup count: 5
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Enforce TCP State: ACTIVE
> Midstream Drop Alerts: INACTIVE
> Allow Blocking of TCP Sessions in Inline: ACTIVE
> Server Data Inspection Limit: -1
> Inline-mode options:
> Inline-mode enabled? (stream4inline): Yes
> Scan mode? (scan_stream_only): Both packet and stream
> Sliding Windowsize (window_size): 3000
> Memcap reached method (truncate): Prune
> Truncate percentage (truncate_percentage): 33
> Store/Load state from/to disk: No
> Max out-of-order packets in a stream (max_ooo_pkts): 10
> Max out-of-order bytes in a stream (max_ooo_bytes): 200
> Max sequence holes in a stream (max_seq_holes): 100
> Normalize wscale max (norm_wscale_max): 2
> Perform window scale normaliztion: No
> Disable out-of-order packet drop: No
> Disable out-of-order packet drop: No
> Disable sequence hole packet drop: No
> Max sequence holes in a stream (max_seq_holes): 100
> Disable wscale normalization alerts
> (disable_norm_wscale_alerts): No
> Disable out-of-order alerts (disable_ooo_alerts): No
> Drop bad RST packets? (drop_bad_rst): No
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> Flush stream on alert: ACTIVE
> flush_data_diff_size: 500
> Reassembler Packet Preferance : Favor Old
> Packet Sequence Overlap Limit: -1
> Flush behavior: random
> Flush base: 4096
> Flush seed: 1176608780
> Flush range: 1213
> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
> 1521 3306
> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
> 513 1433 1521 3306
> ClamAV config:
> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> Virus found action: ALERT
> Virus definitions dir: '/usr/share/clamav'
> Virus DB reload time: '43200'
> Scan only traffic to the client
> Directory for tempfiles (file descriptor mode): '/tmp'
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan
> distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> Number of Nodes: 36900
>
> 2742 Snort rules read...
> 2742 Option Chains linked into 181 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Tagged Packet Limit: 256
> InitInline stage 2: InitInlinePostConfig starting...
>
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[thresholding-global]----------------------------------
> | none
>
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1 sig-id=6364 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6254 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6494 type=Limit tracking=src
> count=1 seconds=1200
> | gen-id=1 sig-id=2001043 type=Limit tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=2003268 type=Both tracking=src
> count=1 seconds=900
> | gen-id=1 sig-id=7570 type=Limit tracking=src
> count=1 seconds=300
>
> ...
> | gen-id=1 sig-id=6200 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6477 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=5802 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=7050 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6496 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2002732 type=Threshold tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=5765 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2003266 type=Both tracking=src
> count=1 seconds=900
>
> +-----------------------[suppression]------------------------------------------
> | none
> -
>
> -------------------------------------------------------------------------------
> Rule application order:
> -
>
> ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
> Log directory = /var/log/snort
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'tagged' is set but not ever checked.
> Warning: flowbits key 'community_uri.size.1050' is set but not ever
> checked.
> Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
> Warning: flowbits key 'trojan' is set but not ever checked.
> 80 out of 512 flowbits in use.
> Setting the Packet Processor to decode packets from iptables
> +--[Pattern Matcher:Aho-Corasick Summary]----------------------
> | Alphabet Size : 256 Chars
> | Sizeof State : 2 bytes
> | Storage Format : Full
> | Num States : 225975
> | Num Transitions : 11746889
> | State Density : 20.3%
> | Finite Automatum : DFA
> | Memory : 163.07Mbytes
> +-------------------------------------------------------------
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort_Inline! <*-
> o" )~ Version 2.6.1.2 (Build 34) inline
> '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> Snort_Inline Mod by William Metcalf, Victor Julien, Nick
> Rogness,
> Dave Remien, Rob McMillen and Jed Haile
> (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
> <Build 11>
> Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
> Preprocessor Object: SF_DNS Version 1.0 <Build 1>
> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
> Preprocessor Object: SF_SSH Version 1.0 <Build 1>
> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
> Not Using PCAP_FRAMES
>
>
>
> by the way why is the thresholding activated ?
>
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[thresholding-global]----------------------------------
> | none
>
> +-----------------------[thresholding-local]-----------------------------------
>
> what is it for and how to deactivate it ?
>
> i am using snort_inline 2.6.1.2BETA1
>
> config flags :
> ./configure --enable-nfnetlink
> - --with-libipq-includes=/usr/local/include/ --enable-clamav
>
>
> ideas why is stream4 not reasembling packets for clamav ?
>
>
> with regards
>
> Roman Gebov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
> x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
> 84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
> PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
> mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
> QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
> I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
> rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
> zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
> E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
> jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
> sOqXi9TfpEQ=
> =duR+
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|