Menu
▾
▴
Re: [Snort-inline-users] stream4 reassembly and clamav
|
From: Victor J. <li...@in...> - 2007-04-16 07:53:05
|
Hi Roman,
I think the issue is in your 'stream4_reassemble' line. You have
'clientonly' set. This means only the traffic flowing from the client to
the server is reassembled. The virus however, is flowing from the server
to the client. Try replacing 'clientonly' by 'both' or 'serveronly' and
see what happens!
Cheers,
Victor
Roman Glebov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hallo,
> i have a feeling that streamreassembly is not working for clamav.
>
> All the time i look at the /tmp where snort_inline puts
> filedescriptors for the clamav test, they are 1452 bytes big.
>
> If i understand it correctly clamav should get ueberpackets from
> stream4 and steam_reassembly but it seems not to be the case.
>
>
> Here is my config:
>
> sed -r '/^#|^$/{d}' snort_inline.conf
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> config checksum_mode: all
> var RULE_PATH rules
> config detection: search-method ac
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, memcap 134217728,
> max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
> disable_norm_wscale,enforce_state,timeout 3600
> preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
> 4096, flush_behavior random
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> output alert_fast: snort_inline-fast
> include classification.config
> include reference.config
> include enabled.rules
>
>
> and here is the output from starting snort_inline:
>
> snort_inline -Q -H 1 -c snort_inline.conf
> Reading from iptables
> Running in IDS mode
> Initializing Inline mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
> Var 'lo_ADDRESS' defined, value len = 19 chars, value =
> 127.0.0.0/255.0.0.0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort_inline.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Var 'HOME_NET' defined, value len = 3 chars, value = any
> Var 'HONEYNET' defined, value len = 3 chars, value = any
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Var 'RULE_PATH' defined, value len = 5 chars, value = rules
> Detection:
> Search-Method = AC-Full
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4099
> | Overhead Bytes: 16400(%0.16)
> `----------------------------------------------
> stream4inline mode enabled
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 3600 seconds
> Session memory cap: 134217728 bytes
> Session count max: 8192 sessions
> Session cleanup count: 5
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Enforce TCP State: ACTIVE
> Midstream Drop Alerts: INACTIVE
> Allow Blocking of TCP Sessions in Inline: ACTIVE
> Server Data Inspection Limit: -1
> Inline-mode options:
> Inline-mode enabled? (stream4inline): Yes
> Scan mode? (scan_stream_only): Both packet and stream
> Sliding Windowsize (window_size): 3000
> Memcap reached method (truncate): Prune
> Truncate percentage (truncate_percentage): 33
> Store/Load state from/to disk: No
> Max out-of-order packets in a stream (max_ooo_pkts): 10
> Max out-of-order bytes in a stream (max_ooo_bytes): 200
> Max sequence holes in a stream (max_seq_holes): 100
> Normalize wscale max (norm_wscale_max): 2
> Perform window scale normaliztion: No
> Disable out-of-order packet drop: No
> Disable out-of-order packet drop: No
> Disable sequence hole packet drop: No
> Max sequence holes in a stream (max_seq_holes): 100
> Disable wscale normalization alerts
> (disable_norm_wscale_alerts): No
> Disable out-of-order alerts (disable_ooo_alerts): No
> Drop bad RST packets? (drop_bad_rst): No
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> Flush stream on alert: ACTIVE
> flush_data_diff_size: 500
> Reassembler Packet Preferance : Favor Old
> Packet Sequence Overlap Limit: -1
> Flush behavior: random
> Flush base: 4096
> Flush seed: 1176608780
> Flush range: 1213
> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
> 1521 3306
> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
> 513 1433 1521 3306
> ClamAV config:
> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> Virus found action: ALERT
> Virus definitions dir: '/usr/share/clamav'
> Virus DB reload time: '43200'
> Scan only traffic to the client
> Directory for tempfiles (file descriptor mode): '/tmp'
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan
> distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> Number of Nodes: 36900
>
> 2742 Snort rules read...
> 2742 Option Chains linked into 181 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Tagged Packet Limit: 256
> InitInline stage 2: InitInlinePostConfig starting...
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1 sig-id=6364 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6254 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6494 type=Limit tracking=src
> count=1 seconds=1200
> | gen-id=1 sig-id=2001043 type=Limit tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=2003268 type=Both tracking=src
> count=1 seconds=900
> | gen-id=1 sig-id=7570 type=Limit tracking=src
> count=1 seconds=300
>
> ...
> | gen-id=1 sig-id=6200 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6477 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=5802 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=7050 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6496 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2002732 type=Threshold tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=5765 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2003266 type=Both tracking=src
> count=1 seconds=900
> +-----------------------[suppression]------------------------------------------
> | none
> -
> -------------------------------------------------------------------------------
> Rule application order:
> -
> ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
> Log directory = /var/log/snort
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'tagged' is set but not ever checked.
> Warning: flowbits key 'community_uri.size.1050' is set but not ever
> checked.
> Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
> Warning: flowbits key 'trojan' is set but not ever checked.
> 80 out of 512 flowbits in use.
> Setting the Packet Processor to decode packets from iptables
> +--[Pattern Matcher:Aho-Corasick Summary]----------------------
> | Alphabet Size : 256 Chars
> | Sizeof State : 2 bytes
> | Storage Format : Full
> | Num States : 225975
> | Num Transitions : 11746889
> | State Density : 20.3%
> | Finite Automatum : DFA
> | Memory : 163.07Mbytes
> +-------------------------------------------------------------
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort_Inline! <*-
> o" )~ Version 2.6.1.2 (Build 34) inline
> '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> Snort_Inline Mod by William Metcalf, Victor Julien, Nick
> Rogness,
> Dave Remien, Rob McMillen and Jed Haile
> (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
> <Build 11>
> Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
> Preprocessor Object: SF_DNS Version 1.0 <Build 1>
> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
> Preprocessor Object: SF_SSH Version 1.0 <Build 1>
> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
> Not Using PCAP_FRAMES
>
>
>
> by the way why is the thresholding activated ?
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
>
> what is it for and how to deactivate it ?
>
> i am using snort_inline 2.6.1.2BETA1
>
> config flags :
> ./configure --enable-nfnetlink
> - --with-libipq-includes=/usr/local/include/ --enable-clamav
>
>
> ideas why is stream4 not reasembling packets for clamav ?
>
>
> with regards
>
> Roman Gebov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
> x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
> 84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
> PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
> mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
> QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
> I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
> rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
> zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
> E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
> jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
> sOqXi9TfpEQ=
> =duR+
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
