From: Will M. <wil...@gm...> - 2007-04-16 01:46:31
|
enable stream4inline On 4/14/07, Roman Glebov <sl...@sl...> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hallo, > i have a feeling that streamreassembly is not working for clamav. > > All the time i look at the /tmp where snort_inline puts > filedescriptors for the clamav test, they are 1452 bytes big. > > If i understand it correctly clamav should get ueberpackets from > stream4 and steam_reassembly but it seems not to be the case. > > > Here is my config: > > sed -r '/^#|^$/{d}' snort_inline.conf > var HOME_NET any > var HONEYNET any > var EXTERNAL_NET any > var SMTP_SERVERS any > var TELNET_SERVERS any > var HTTP_SERVERS any > var SQL_SERVERS any > var DNS_SERVERS any > var HTTP_PORTS 80 > var SHELLCODE_PORTS !80 > var ORACLE_PORTS 1521 > var AIM_SERVERS > [ > 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24 > ] > config checksum_mode: all > var RULE_PATH rules > config detection: search-method ac > dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so > preprocessor flow: stats_interval 0 hash 2 > preprocessor stream4: disable_evasion_alerts, memcap 134217728, > max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline, > disable_norm_wscale,enforce_state,timeout 3600 > preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base > 4096, flush_behavior random > preprocessor clamav: ports all !22 !443, toclientonly, dbdir > /usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp > preprocessor sfportscan: proto { all } \ > memcap { 10000000 } \ > sense_level { low } > output alert_fast: snort_inline-fast > include classification.config > include reference.config > include enabled.rules > > > and here is the output from starting snort_inline: > > snort_inline -Q -H 1 -c snort_inline.conf > Reading from iptables > Running in IDS mode > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 > Var 'lo_ADDRESS' defined, value len = 19 chars, value = > 127.0.0.0/255.0.0.0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > Var 'HOME_NET' defined, value len = 3 chars, value = any > Var 'HONEYNET' defined, value len = 3 chars, value = any > Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any > Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any > Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any > Var 'SQL_SERVERS' defined, value len = 3 chars, value = any > Var 'DNS_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 > Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 > Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 > Var 'AIM_SERVERS' defined, value len = 185 chars > > [ > 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 > .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > Var 'RULE_PATH' defined, value len = 5 chars, value = rules > Detection: > Search-Method = AC-Full > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > stream4inline mode enabled > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 3600 seconds > Session memory cap: 134217728 bytes > Session count max: 8192 sessions > Session cleanup count: 5 > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: INACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Enforce TCP State: ACTIVE > Midstream Drop Alerts: INACTIVE > Allow Blocking of TCP Sessions in Inline: ACTIVE > Server Data Inspection Limit: -1 > Inline-mode options: > Inline-mode enabled? (stream4inline): Yes > Scan mode? (scan_stream_only): Both packet and stream > Sliding Windowsize (window_size): 3000 > Memcap reached method (truncate): Prune > Truncate percentage (truncate_percentage): 33 > Store/Load state from/to disk: No > Max out-of-order packets in a stream (max_ooo_pkts): 10 > Max out-of-order bytes in a stream (max_ooo_bytes): 200 > Max sequence holes in a stream (max_seq_holes): 100 > Normalize wscale max (norm_wscale_max): 2 > Perform window scale normaliztion: No > Disable out-of-order packet drop: No > Disable out-of-order packet drop: No > Disable sequence hole packet drop: No > Max sequence holes in a stream (max_seq_holes): 100 > Disable wscale normalization alerts > (disable_norm_wscale_alerts): No > Disable out-of-order alerts (disable_ooo_alerts): No > Drop bad RST packets? (drop_bad_rst): No > Stream4_reassemble config: > Server reassembly: INACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > Flush stream on alert: ACTIVE > flush_data_diff_size: 500 > Reassembler Packet Preferance : Favor Old > Packet Sequence Overlap Limit: -1 > Flush behavior: random > Flush base: 4096 > Flush seed: 1176608780 > Flush range: 1213 > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 > 1521 3306 > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 > 513 1433 1521 3306 > ClamAV config: > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > Virus found action: ALERT > Virus definitions dir: '/usr/share/clamav' > Virus DB reload time: '43200' > Scan only traffic to the client > Directory for tempfiles (file descriptor mode): '/tmp' > Portscan Detection Config: > Detect Protocols: TCP UDP ICMP IP > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > Sensitivity Level: Low > Memcap (in bytes): 10000000 > Number of Nodes: 36900 > > 2742 Snort rules read... > 2742 Option Chains linked into 181 Chain Headers > 0 Dynamic rules > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Tagged Packet Limit: 256 > InitInline stage 2: InitInlinePostConfig starting... > > > +-----------------------[thresholding-config]---------------------------------- > | memory-cap : 1048576 bytes > > +-----------------------[thresholding-global]---------------------------------- > | none > > +-----------------------[thresholding-local]----------------------------------- > | gen-id=1 sig-id=6364 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=6254 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=6494 type=Limit tracking=src > count=1 seconds=1200 > | gen-id=1 sig-id=2001043 type=Limit tracking=src > count=10 seconds=60 > | gen-id=1 sig-id=2003268 type=Both tracking=src > count=1 seconds=900 > | gen-id=1 sig-id=7570 type=Limit tracking=src > count=1 seconds=300 > > ... > | gen-id=1 sig-id=6200 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=6477 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=5802 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=7050 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=6496 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=2002732 type=Threshold tracking=src > count=10 seconds=60 > | gen-id=1 sig-id=5765 type=Limit tracking=src > count=1 seconds=300 > | gen-id=1 sig-id=2003266 type=Both tracking=src > count=1 seconds=900 > > +-----------------------[suppression]------------------------------------------ > | none > - > > ------------------------------------------------------------------------------- > Rule application order: > - > > ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log > Log directory = /var/log/snort > Loading dynamic engine > /usr/local/lib/snort_dynamicengine/libsf_engine.so... done > Loading all dynamic preprocessor libs from > /usr/local/lib/snort_dynamicpreprocessor/... > Loading dynamic preprocessor library > /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... > done > Loading dynamic preprocessor library > /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > Loading dynamic preprocessor library > /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor library > /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done > Loading dynamic preprocessor library > /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > Finished Loading all dynamic preprocessor libs from > /usr/local/lib/snort_dynamicpreprocessor/ > Verifying Preprocessor Configurations! > Warning: flowbits key 'tagged' is set but not ever checked. > Warning: flowbits key 'community_uri.size.1050' is set but not ever > checked. > Warning: flowbits key 'realplayer.playlist' is checked but not ever set. > Warning: flowbits key 'trojan' is set but not ever checked. > 80 out of 512 flowbits in use. > Setting the Packet Processor to decode packets from iptables > +--[Pattern Matcher:Aho-Corasick Summary]---------------------- > | Alphabet Size : 256 Chars > | Sizeof State : 2 bytes > | Storage Format : Full > | Num States : 225975 > | Num Transitions : 11746889 > | State Density : 20.3% > | Finite Automatum : DFA > | Memory : 163.07Mbytes > +------------------------------------------------------------- > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.6.1.2 (Build 34) inline > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > (C) Copyright 1998-2006 Sourcefire Inc., et al. > > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 > <Build 11> > Preprocessor Object: SF_SMTP Version 1.0 <Build 6> > Preprocessor Object: SF_DNS Version 1.0 <Build 1> > Preprocessor Object: SF_DCERPC Version 1.0 <Build 3> > Preprocessor Object: SF_SSH Version 1.0 <Build 1> > Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> > Not Using PCAP_FRAMES > > > > by the way why is the thresholding activated ? > > > +-----------------------[thresholding-config]---------------------------------- > | memory-cap : 1048576 bytes > > +-----------------------[thresholding-global]---------------------------------- > | none > > +-----------------------[thresholding-local]----------------------------------- > > what is it for and how to deactivate it ? > > i am using snort_inline 2.6.1.2BETA1 > > config flags : > ./configure --enable-nfnetlink > - --with-libipq-includes=/usr/local/include/ --enable-clamav > > > ideas why is stream4 not reasembling packets for clamav ? > > > with regards > > Roman Gebov > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL > x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp > 84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww > PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn > mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS > QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin > I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI > rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b > zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG > E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ > jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM > sOqXi9TfpEQ= > =duR+ > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |