Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Will M. <wil...@gm...> - 2006-06-20 23:57:50
|
That's so weird, it builds fine on Sarge for me with the latest libdnet. You didn't happen to install the libdnet-dev package in Sarge did you? Note to all the libdnet in debian is libDECNet and they share the same .so names...... Regards, Will On 6/20/06, Bill Warren <bw...@op...> wrote: > I am running Debian Sarge and this is what I get with the download of > the lasted ver > > > Run: dnet-config --libs > > Gives me: -L/usr/local/lib -ldnet > > Run: > ./configure --with-dnet-includes=/usr/local/lib > ./configure --with-dnet-libraries=/usr/local/lib > > Both give me: > checking for dnet.h... yes > checking for eth_set in -ldnet... no > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net or use the --with-dnet-* > options, if you have it installed in an unusual place > > Any ideas? > > > > Will Metcalf wrote: > > >run dnet-config --libs. Is it blank? find the dnet-config file and > >see if the line that resembles what is below edit if necessary. I > >think we will have another 2.4.5 release this weekend that actually > >contains the --with-dnet stuff in the configure ;-). I have a couple > >of other bug fixes as well. > > > >prefix=/usr/local > >exec_prefix=/usr/local > > > >Regards, > > > >Will > >On 6/17/06, int eighty <xc...@gm...> wrote: > > > > > >>The ./configure for snort_inline is consistently failing with the > >>following message: > >> > >>checking dnet.h usability... yes > >>checking dnet.h presence... yes > >>checking for dnet.h... yes > >>checking for eth_set in -ldnet... no > >> > >> ERROR! Libdnet header not found, go get it from > >> http://libdnet.sourceforge.net or use the --with-dnet-* > >> options, if you have it installed in an unusual place > >> > >>The system is running Debian (unstable) and has the libdnet and > >>libdnet-dev packages installed through apt-get. This error still > >>occurred after using apt-get so libdnet was downloaded from > >>sourceforge, compiled, and installed. > >> > >>The /etc/ld.so.conf was also updated to include the paths of dnet.h > >>and dnet.so/dnet.a (these are symbolic links from libdnet.so and > >>libdnet.a, respectively). Configure was also run with the following > >>options: > >> > >>./configure --with-dnet-includes=/usr/local/include > >>--with-dnet-libraries=/usr/lib > >> > >>Still the error persists, and there are not many solutions provided > >>through Google (I've tried everything in the search results). > >> > >> > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >> > >> > > > > > >_______________________________________________ > >Snort-inline-users mailing list > >Sno...@li... > >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > -- > > Bill Warren > > Network Systems Administrator > Optivel, Inc. > 317.275.2305 office > 317.523.8468 cell > www.optivel.com > > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Bill W. <bw...@op...> - 2006-06-20 14:50:53
|
I am running Debian Sarge and this is what I get with the download of the lasted ver Run: dnet-config --libs Gives me: -L/usr/local/lib -ldnet Run: ./configure --with-dnet-includes=/usr/local/lib ./configure --with-dnet-libraries=/usr/local/lib Both give me: checking for dnet.h... yes checking for eth_set in -ldnet... no ERROR! Libdnet header not found, go get it from http://libdnet.sourceforge.net or use the --with-dnet-* options, if you have it installed in an unusual place Any ideas? Will Metcalf wrote: >run dnet-config --libs. Is it blank? find the dnet-config file and >see if the line that resembles what is below edit if necessary. I >think we will have another 2.4.5 release this weekend that actually >contains the --with-dnet stuff in the configure ;-). I have a couple >of other bug fixes as well. > >prefix=/usr/local >exec_prefix=/usr/local > >Regards, > >Will >On 6/17/06, int eighty <xc...@gm...> wrote: > > >>The ./configure for snort_inline is consistently failing with the >>following message: >> >>checking dnet.h usability... yes >>checking dnet.h presence... yes >>checking for dnet.h... yes >>checking for eth_set in -ldnet... no >> >> ERROR! Libdnet header not found, go get it from >> http://libdnet.sourceforge.net or use the --with-dnet-* >> options, if you have it installed in an unusual place >> >>The system is running Debian (unstable) and has the libdnet and >>libdnet-dev packages installed through apt-get. This error still >>occurred after using apt-get so libdnet was downloaded from >>sourceforge, compiled, and installed. >> >>The /etc/ld.so.conf was also updated to include the paths of dnet.h >>and dnet.so/dnet.a (these are symbolic links from libdnet.so and >>libdnet.a, respectively). Configure was also run with the following >>options: >> >>./configure --with-dnet-includes=/usr/local/include >>--with-dnet-libraries=/usr/lib >> >>Still the error persists, and there are not many solutions provided >>through Google (I've tried everything in the search results). >> >> >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Carlos E G. <ceg...@if...> - 2006-06-19 15:59:35
|
Hi. Does anyone else have already setup snort_inline with ipfw on a FreeBSD box? I'm getting the following error: IpfwLoop: write to divert socket failed I have no idea of what's happening. My box is as following: FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #0 Kernel build options: device if_bridge options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT IPFW divert rule: divert 8000 all from machine1 to machine2 via if1 where if1 is one of the members interfaces of bridge, machine1 is on the bridge and machine2 is an external machine. Observe that I am not filtering on layer2, because ipfw does not divert bridged packets. net.link.bridge.pfil_onlyip: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw: 0 net.link.ether.ipfw: 0 Config file is default snort_inline.conf. I've also tried layer2resets with no success (using bridge interface mac). command line options: snort_inline -v -J 8000 -d -s -h xxx.xxx.xxx.xxx/xx -l /var/log/snort_inline -c /usr/local/etc/snort_inline.conf snort_inline versions 2.4.4-final and 2.3.0 from FreeBSD ports. Thanks in advance! Carlos |
|
From: Will M. <wil...@gm...> - 2006-06-18 22:22:48
|
As alway's you can download the latest release from http://snort-inline.sourceforge.net/download.html Regards, Will |
|
From: Will M. <wil...@gm...> - 2006-06-18 22:21:09
|
List, I have posted snort_inline-2.4.5a to sourceforge. Below is a list of things fixed in this release. fix for unified logging with bait-and-switch and stickydrop fix for inline.c when trying to compile with 2.9.x --with-dnet* actually works when passed to configure Regards, Will |
|
From: Will M. <wil...@gm...> - 2006-06-18 16:14:34
|
hmmmm WorksForMe(TM)
06/18-11:10:19.992875 [**] [125:1:1] (spp_clamav) Virus Found:
Eicar-Test-Signature [**] {TCP} 213.206.94.83:20 -> y.y.y.y:56640
06/18-11:10:20.572346 [**] [125:1:1] (spp_clamav) Virus Found:
Eicar-Test-Signature [**] {TCP} 213.206.94.83:20 -> y.y.y.y:56640
06/18-11:10:21.552567 [**] [125:1:1] (spp_clamav) Virus Found:
Eicar-Test-Signature [**] {TCP} 213.206.94.83:20 -> y.y.y.y:56640
06/18-11:10:23.312251 [**] [125:1:1] (spp_clamav) Virus Found:
Eicar-Test-Signature [**] {TCP} 213.206.94.83:20 -> y.y.y.y:56640
06/18-11:10:26.632128 [**] [125:1:1] (spp_clamav) Virus Found:
Eicar-Test-Signature [**] {TCP} 213.206.94.83:20 -> y.y.y.y:56640
On 6/17/06, Eric Hines <eri...@ap...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Will,
>
> It seems the Eicar file is still not being detected when attempting to
> use FTP. Any ideas? Is their a way to see why its not being dropped as
> it should? I don't see anything regarding it in the Snort log file.
>
>
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
>
>
> - ---------------------------------------------
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
> 1095 Pingree Road
> Suite 213
> Crystal Lake, IL 60014
> Toll Free: (877) 262-7593 ext:327
> Direct: (847) 854-2725 ext:327
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
> Email: eri...@ap...
>
> - --------------------------------------------
>
> "Enterprise Open Source Security Management"
>
>
> Will Metcalf wrote:
> > That's not the same thing. The patch on bleeding-snort doesn't have
> > the http header parsing stuff. I need to update those patches haven't
> > found the time......
> >
> > On 6/15/06, Eric Hines <eri...@ap...> wrote:
> > Hi Will,
> >
> > Here's the info. I spoke to our developers and it seems we're using
> > Snort with inline enabled.
> >
> > [root@localhost ~]# /aw/sbin/snort2.4 -V
> >
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.4.4 (Build 28)
> > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
> > (C) Copyright 1998-2005 Sourcefire Inc., et al.
> > NOTE: Snort's default output has changed in version 2.4.1!
> > The default logging mode is now PCAP, use "-K ascii" to activate
> > the old default logging mode.
> >
> >
> >
> >
> >
> >
> > Best Regards,
> >
> > Eric Hines, GCIA, CISSP
> > CEO, President
> > Applied Watch Technologies, LLC
> >
> >
> > ---------------------------------------------
> >
> > Eric Hines, GCIA, CISSP
> > CEO, President
> > Applied Watch Technologies, LLC
> > 1095 Pingree Road
> > Suite 213
> > Crystal Lake, IL 60014
> > Toll Free: (877) 262-7593 ext:327
> > Direct: (847) 854-2725 ext:327
> > Fax: (847) 854-5106
> > Web: http://www.appliedwatch.com
> > Email: eri...@ap...
> >
> > --------------------------------------------
> >
> > "Enterprise Open Source Security Management"
> >
> >
> > Will Metcalf wrote:
> >>>> What version of snort-inline are you using? 2.4.4 and up attempt to
> >>>> remove the http headers from a scanned http payload. A while ago the
> >>>> clamav sig for eicar was tweaked to look for the eicar string in the
> >>>> beginning of the scanned descriptor/buffer to reduce fp's etc.....
> >>>>
> >>>> Regards,
> >>>>
> >>>> Will
> >>>> On 6/13/06, Eric Hines <eri...@ap...> wrote:
> >>>> I have tried both toserveronly, and toclientonly. My current snort.conf:
> >>>>
> >>>> snort.conf
> >>>> ***********
> >>>> preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time
> >>>> 600, action-drop, toserveronly, file-descriptor-mode
> >>>>
> >>>>
> >>>> snort_log
> >>>> *********
> >>>> ClamAV config:
> >>>> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> >>>> Virus found action: DROP
> >>>> Virus definitions dir: '/aw/var/lib/clamav'
> >>>> Virus DB reload time: '600'
> >>>> Scan only traffic to the server
> >>>> File descriptor scanning mode: Enabled, using cl_scandesc
> >>>> Directory for tempfiles (file descriptor mode): '/tmp'
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Best Regards,
> >>>>
> >>>> Eric Hines, GCIA, CISSP
> >>>> CEO, President
> >>>> Applied Watch Technologies, LLC
> >>>>
> >>>>
> >>>> ---------------------------------------------
> >>>>
> >>>> Eric Hines, GCIA, CISSP
> >>>> CEO, President
> >>>> Applied Watch Technologies, LLC
> >>>> 1095 Pingree Road
> >>>> Suite 213
> >>>> Crystal Lake, IL 60014
> >>>> Toll Free: (877) 262-7593 ext:327
> >>>> Direct: (847) 854-2725 ext:327
> >>>> Fax: (847) 854-5106
> >>>> Web: http://www.appliedwatch.com
> >>>> Email: eri...@ap...
> >>>>
> >>>> --------------------------------------------
> >>>>
> >>>> "Enterprise Open Source Security Management"
> >>>>
> >>>>
> >>>> Eric Hines wrote:
> >>>>> Will, et. al.,
> >>>>> We're finding that attempts to go to www.eicar.org and download several
> >>>>> signature files, even the text file, is succeeding without alerts or
> >>>>> prevention from ClamAV/Snort-Inline in front of our machines.
> >>>>> Snort-Inline is not dropping the attempts nor even alerting to the
> >>>> traffic.
> >>>>
> >>>>> Its allowing me to not only view Eicar test file but also save it to
> >>>> my HDD.
> >>>>
> >>>>> Has anyone had this problem with the Eicar test file before using the
> >>>>> ClamAV Preproc? (www.eicar.org)
> >>>>
> >>>>> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV
> >>>>> itself? In searching the clamav-users ml archives, it seems it does
> >>>> have
> >>>>> defs for the eicar test file, then perhaps its a problem with the
> >>>>> Preproc or our configuration? Please advise.
> >>>>
> >>>>
> >>>>
> >>>>> Best Regards,
> >>>>> Eric Hines, GCIA, CISSP
> >>>>> CEO, President
> >>>>> Applied Watch Technologies, LLC
> >>>>
> >>>>> ---------------------------------------------
> >>>>> Eric Hines, GCIA, CISSP
> >>>>> CEO, President
> >>>>> Applied Watch Technologies, LLC
> >>>>> 1095 Pingree Road
> >>>>> Suite 213
> >>>>> Crystal Lake, IL 60014
> >>>>> Toll Free: (877) 262-7593 ext:327
> >>>>> Direct: (847) 854-2725 ext:327
> >>>>> Fax: (847) 854-5106
> >>>>> Web: http://www.appliedwatch.com
> >>>>> Email: eri...@ap...
> >>>>> --------------------------------------------
> >>>>> "Enterprise Open Source Security Management"
> >>>>
> >>>>> Will Metcalf wrote:
> >>>>>>> hmm can you send the contents of your dhet.h file, it appears as
> >>>> if it
> >>>>>>> is locating the file but the check for eth_set fails.
> >>>>>>>
> >>>>>>> On 6/12/06, Bill Warren <bw...@op...> wrote:
> >>>>>>>> Hello,
> >>>>>>>> I am trying to do a basic install of snort-incline 2.4.5. I am
> >>>> running
> >>>>>>>> Debian Sarge with a 2.6 kernel on an Intel box.
> >>>>>>>>
> >>>>>>>> When I run:
> >>>>>>>> ./configure
> >>>>>>>>
> >>>>>>>> I get
> >>>>>>>> checking for dnet.h... yes
> >>>>>>>> checking for eth_set in -ldnet... no
> >>>>>>>>
> >>>>>>>> ERROR! Libdnet header not found, go get it from
> >>>>>>>> http://libdnet.sourceforge.net or use the --with-dnet-*
> >>>>>>>> options, if you have it installed in an unusual place
> >>>>>>>>
> >>>>>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net.
> >>>>>>>> When I did a find it is found here:
> >>>>>>>>
> >>>>>>>> /usr/local/include/dnet.h
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Any ideas?
> >>>>>>>> Thanks,
> >>>>>>>> Bill
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>>
> >>>>>>>> Bill Warren
> >>>>>>>>
> >>>>>>>> Network Systems Administrator
> >>>>>>>> Optivel, Inc.
> >>>>>>>> 317.275.2305 office
> >>>>>>>> 317.523.8468 cell
> >>>>>>>> www.optivel.com
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Snort-inline-users mailing list
> >>>>>>>> Sno...@li...
> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Snort-inline-users mailing list
> >>>>>>> Sno...@li...
> >>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>> _______________________________________________
> >>>> Snort-inline-users mailing list
> >>>> Sno...@li...
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
>
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFElJT5bOqF2QHgUK0RAjakAKDda0XScbzI5OGRanxjKkMtP8hUWQCZAVjR
> BM0GwjbbaQ66EXixzQ1U268=
> =JUDN
> -----END PGP SIGNATURE-----
>
|
|
From: Eric H. <eri...@ap...> - 2006-06-17 23:47:51
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Will, It seems the Eicar file is still not being detected when attempting to use FTP. Any ideas? Is their a way to see why its not being dropped as it should? I don't see anything regarding it in the Snort log file. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eri...@ap... - -------------------------------------------- "Enterprise Open Source Security Management" Will Metcalf wrote: > That's not the same thing. The patch on bleeding-snort doesn't have > the http header parsing stuff. I need to update those patches haven't > found the time...... > > On 6/15/06, Eric Hines <eri...@ap...> wrote: > Hi Will, > > Here's the info. I spoke to our developers and it seems we're using > Snort with inline enabled. > > [root@localhost ~]# /aw/sbin/snort2.4 -V > > ,,_ -*> Snort! <*- > o" )~ Version 2.4.4 (Build 28) > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > > > > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > > > --------------------------------------------- > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 213 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 ext:327 > Direct: (847) 854-2725 ext:327 > Fax: (847) 854-5106 > Web: http://www.appliedwatch.com > Email: eri...@ap... > > -------------------------------------------- > > "Enterprise Open Source Security Management" > > > Will Metcalf wrote: >>>> What version of snort-inline are you using? 2.4.4 and up attempt to >>>> remove the http headers from a scanned http payload. A while ago the >>>> clamav sig for eicar was tweaked to look for the eicar string in the >>>> beginning of the scanned descriptor/buffer to reduce fp's etc..... >>>> >>>> Regards, >>>> >>>> Will >>>> On 6/13/06, Eric Hines <eri...@ap...> wrote: >>>> I have tried both toserveronly, and toclientonly. My current snort.conf: >>>> >>>> snort.conf >>>> *********** >>>> preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time >>>> 600, action-drop, toserveronly, file-descriptor-mode >>>> >>>> >>>> snort_log >>>> ********* >>>> ClamAV config: >>>> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... >>>> Virus found action: DROP >>>> Virus definitions dir: '/aw/var/lib/clamav' >>>> Virus DB reload time: '600' >>>> Scan only traffic to the server >>>> File descriptor scanning mode: Enabled, using cl_scandesc >>>> Directory for tempfiles (file descriptor mode): '/tmp' >>>> >>>> >>>> >>>> >>>> >>>> >>>> Best Regards, >>>> >>>> Eric Hines, GCIA, CISSP >>>> CEO, President >>>> Applied Watch Technologies, LLC >>>> >>>> >>>> --------------------------------------------- >>>> >>>> Eric Hines, GCIA, CISSP >>>> CEO, President >>>> Applied Watch Technologies, LLC >>>> 1095 Pingree Road >>>> Suite 213 >>>> Crystal Lake, IL 60014 >>>> Toll Free: (877) 262-7593 ext:327 >>>> Direct: (847) 854-2725 ext:327 >>>> Fax: (847) 854-5106 >>>> Web: http://www.appliedwatch.com >>>> Email: eri...@ap... >>>> >>>> -------------------------------------------- >>>> >>>> "Enterprise Open Source Security Management" >>>> >>>> >>>> Eric Hines wrote: >>>>> Will, et. al., >>>>> We're finding that attempts to go to www.eicar.org and download several >>>>> signature files, even the text file, is succeeding without alerts or >>>>> prevention from ClamAV/Snort-Inline in front of our machines. >>>>> Snort-Inline is not dropping the attempts nor even alerting to the >>>> traffic. >>>> >>>>> Its allowing me to not only view Eicar test file but also save it to >>>> my HDD. >>>> >>>>> Has anyone had this problem with the Eicar test file before using the >>>>> ClamAV Preproc? (www.eicar.org) >>>> >>>>> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV >>>>> itself? In searching the clamav-users ml archives, it seems it does >>>> have >>>>> defs for the eicar test file, then perhaps its a problem with the >>>>> Preproc or our configuration? Please advise. >>>> >>>> >>>> >>>>> Best Regards, >>>>> Eric Hines, GCIA, CISSP >>>>> CEO, President >>>>> Applied Watch Technologies, LLC >>>> >>>>> --------------------------------------------- >>>>> Eric Hines, GCIA, CISSP >>>>> CEO, President >>>>> Applied Watch Technologies, LLC >>>>> 1095 Pingree Road >>>>> Suite 213 >>>>> Crystal Lake, IL 60014 >>>>> Toll Free: (877) 262-7593 ext:327 >>>>> Direct: (847) 854-2725 ext:327 >>>>> Fax: (847) 854-5106 >>>>> Web: http://www.appliedwatch.com >>>>> Email: eri...@ap... >>>>> -------------------------------------------- >>>>> "Enterprise Open Source Security Management" >>>> >>>>> Will Metcalf wrote: >>>>>>> hmm can you send the contents of your dhet.h file, it appears as >>>> if it >>>>>>> is locating the file but the check for eth_set fails. >>>>>>> >>>>>>> On 6/12/06, Bill Warren <bw...@op...> wrote: >>>>>>>> Hello, >>>>>>>> I am trying to do a basic install of snort-incline 2.4.5. I am >>>> running >>>>>>>> Debian Sarge with a 2.6 kernel on an Intel box. >>>>>>>> >>>>>>>> When I run: >>>>>>>> ./configure >>>>>>>> >>>>>>>> I get >>>>>>>> checking for dnet.h... yes >>>>>>>> checking for eth_set in -ldnet... no >>>>>>>> >>>>>>>> ERROR! Libdnet header not found, go get it from >>>>>>>> http://libdnet.sourceforge.net or use the --with-dnet-* >>>>>>>> options, if you have it installed in an unusual place >>>>>>>> >>>>>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. >>>>>>>> When I did a find it is found here: >>>>>>>> >>>>>>>> /usr/local/include/dnet.h >>>>>>>> >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> Thanks, >>>>>>>> Bill >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> Bill Warren >>>>>>>> >>>>>>>> Network Systems Administrator >>>>>>>> Optivel, Inc. >>>>>>>> 317.275.2305 office >>>>>>>> 317.523.8468 cell >>>>>>>> www.optivel.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Snort-inline-users mailing list >>>>>>>> Sno...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Snort-inline-users mailing list >>>>>>> Sno...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> _______________________________________________ >>>> Snort-inline-users mailing list >>>> Sno...@li... >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFElJT5bOqF2QHgUK0RAjakAKDda0XScbzI5OGRanxjKkMtP8hUWQCZAVjR BM0GwjbbaQ66EXixzQ1U268= =JUDN -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2006-06-17 16:04:06
|
run dnet-config --libs. Is it blank? find the dnet-config file and see if the line that resembles what is below edit if necessary. I think we will have another 2.4.5 release this weekend that actually contains the --with-dnet stuff in the configure ;-). I have a couple of other bug fixes as well. prefix=/usr/local exec_prefix=/usr/local Regards, Will On 6/17/06, int eighty <xc...@gm...> wrote: > The ./configure for snort_inline is consistently failing with the > following message: > > checking dnet.h usability... yes > checking dnet.h presence... yes > checking for dnet.h... yes > checking for eth_set in -ldnet... no > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net or use the --with-dnet-* > options, if you have it installed in an unusual place > > The system is running Debian (unstable) and has the libdnet and > libdnet-dev packages installed through apt-get. This error still > occurred after using apt-get so libdnet was downloaded from > sourceforge, compiled, and installed. > > The /etc/ld.so.conf was also updated to include the paths of dnet.h > and dnet.so/dnet.a (these are symbolic links from libdnet.so and > libdnet.a, respectively). Configure was also run with the following > options: > > ./configure --with-dnet-includes=/usr/local/include > --with-dnet-libraries=/usr/lib > > Still the error persists, and there are not many solutions provided > through Google (I've tried everything in the search results). > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: int e. <xc...@gm...> - 2006-06-17 13:00:27
|
The ./configure for snort_inline is consistently failing with the following message: checking dnet.h usability... yes checking dnet.h presence... yes checking for dnet.h... yes checking for eth_set in -ldnet... no ERROR! Libdnet header not found, go get it from http://libdnet.sourceforge.net or use the --with-dnet-* options, if you have it installed in an unusual place The system is running Debian (unstable) and has the libdnet and libdnet-dev packages installed through apt-get. This error still occurred after using apt-get so libdnet was downloaded from sourceforge, compiled, and installed. The /etc/ld.so.conf was also updated to include the paths of dnet.h and dnet.so/dnet.a (these are symbolic links from libdnet.so and libdnet.a, respectively). Configure was also run with the following options: ./configure --with-dnet-includes=/usr/local/include --with-dnet-libraries=/usr/lib Still the error persists, and there are not many solutions provided through Google (I've tried everything in the search results). |
|
From: Will M. <wil...@gm...> - 2006-06-16 09:57:52
|
That's not the same thing. The patch on bleeding-snort doesn't have the http header parsing stuff. I need to update those patches haven't found the time...... On 6/15/06, Eric Hines <eri...@ap...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Will, > > Here's the info. I spoke to our developers and it seems we're using > Snort with inline enabled. > > [root@localhost ~]# /aw/sbin/snort2.4 -V > > ,,_ -*> Snort! <*- > o" )~ Version 2.4.4 (Build 28) > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > > > > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > > > - --------------------------------------------- > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 213 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 ext:327 > Direct: (847) 854-2725 ext:327 > Fax: (847) 854-5106 > Web: http://www.appliedwatch.com > Email: eri...@ap... > > - -------------------------------------------- > > "Enterprise Open Source Security Management" > > > Will Metcalf wrote: > > What version of snort-inline are you using? 2.4.4 and up attempt to > > remove the http headers from a scanned http payload. A while ago the > > clamav sig for eicar was tweaked to look for the eicar string in the > > beginning of the scanned descriptor/buffer to reduce fp's etc..... > > > > Regards, > > > > Will > > On 6/13/06, Eric Hines <eri...@ap...> wrote: > > I have tried both toserveronly, and toclientonly. My current snort.conf: > > > > snort.conf > > *********** > > preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time > > 600, action-drop, toserveronly, file-descriptor-mode > > > > > > snort_log > > ********* > > ClamAV config: > > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > > Virus found action: DROP > > Virus definitions dir: '/aw/var/lib/clamav' > > Virus DB reload time: '600' > > Scan only traffic to the server > > File descriptor scanning mode: Enabled, using cl_scandesc > > Directory for tempfiles (file descriptor mode): '/tmp' > > > > > > > > > > > > > > Best Regards, > > > > Eric Hines, GCIA, CISSP > > CEO, President > > Applied Watch Technologies, LLC > > > > > > --------------------------------------------- > > > > Eric Hines, GCIA, CISSP > > CEO, President > > Applied Watch Technologies, LLC > > 1095 Pingree Road > > Suite 213 > > Crystal Lake, IL 60014 > > Toll Free: (877) 262-7593 ext:327 > > Direct: (847) 854-2725 ext:327 > > Fax: (847) 854-5106 > > Web: http://www.appliedwatch.com > > Email: eri...@ap... > > > > -------------------------------------------- > > > > "Enterprise Open Source Security Management" > > > > > > Eric Hines wrote: > >> Will, et. al., > > > >> We're finding that attempts to go to www.eicar.org and download several > >> signature files, even the text file, is succeeding without alerts or > >> prevention from ClamAV/Snort-Inline in front of our machines. > >> Snort-Inline is not dropping the attempts nor even alerting to the > > traffic. > > > >> Its allowing me to not only view Eicar test file but also save it to > > my HDD. > > > >> Has anyone had this problem with the Eicar test file before using the > >> ClamAV Preproc? (www.eicar.org) > > > > > >> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV > >> itself? In searching the clamav-users ml archives, it seems it does > > have > >> defs for the eicar test file, then perhaps its a problem with the > >> Preproc or our configuration? Please advise. > > > > > > > > > >> Best Regards, > > > >> Eric Hines, GCIA, CISSP > >> CEO, President > >> Applied Watch Technologies, LLC > > > > > >> --------------------------------------------- > > > >> Eric Hines, GCIA, CISSP > >> CEO, President > >> Applied Watch Technologies, LLC > >> 1095 Pingree Road > >> Suite 213 > >> Crystal Lake, IL 60014 > >> Toll Free: (877) 262-7593 ext:327 > >> Direct: (847) 854-2725 ext:327 > >> Fax: (847) 854-5106 > >> Web: http://www.appliedwatch.com > >> Email: eri...@ap... > > > >> -------------------------------------------- > > > >> "Enterprise Open Source Security Management" > > > > > >> Will Metcalf wrote: > >>>> hmm can you send the contents of your dhet.h file, it appears as > > if it > >>>> is locating the file but the check for eth_set fails. > >>>> > >>>> On 6/12/06, Bill Warren <bw...@op...> wrote: > >>>>> Hello, > >>>>> I am trying to do a basic install of snort-incline 2.4.5. I am > > running > >>>>> Debian Sarge with a 2.6 kernel on an Intel box. > >>>>> > >>>>> When I run: > >>>>> ./configure > >>>>> > >>>>> I get > >>>>> checking for dnet.h... yes > >>>>> checking for eth_set in -ldnet... no > >>>>> > >>>>> ERROR! Libdnet header not found, go get it from > >>>>> http://libdnet.sourceforge.net or use the --with-dnet-* > >>>>> options, if you have it installed in an unusual place > >>>>> > >>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. > >>>>> When I did a find it is found here: > >>>>> > >>>>> /usr/local/include/dnet.h > >>>>> > >>>>> > >>>>> Any ideas? > >>>>> Thanks, > >>>>> Bill > >>>>> > >>>>> -- > >>>>> > >>>>> Bill Warren > >>>>> > >>>>> Network Systems Administrator > >>>>> Optivel, Inc. > >>>>> 317.275.2305 office > >>>>> 317.523.8468 cell > >>>>> www.optivel.com > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Snort-inline-users mailing list > >>>>> Sno...@li... > >>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>>>> > >>>> > >>>> _______________________________________________ > >>>> Snort-inline-users mailing list > >>>> Sno...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFEkW1mbOqF2QHgUK0RArnrAJ0WuXGSQWYoIeayedFQID5m2kyFUwCgpO2f > CDJLXKakRUs4MH5gMw8B0UI= > =LEnx > -----END PGP SIGNATURE----- > |
|
From: Will M. <wil...@gm...> - 2006-06-16 08:52:36
|
Could be an iptables issue, make sure you are queueing both the incoming and outgoing traffic So if you want to inspect all port 80 traffic. iptables -A INPUT -p tcp --dport 80 -j QUEUE iptables -A OUPTUT -p tcp --sport 80 -j QUEUE |
|
From: Will M. <wil...@gm...> - 2006-06-16 05:21:40
|
depends on how you intialize the preprocs. If you initalize clamav before http_inspect then you don't need a flow_depth of zero. Regards, Will On 6/14/06, Daniel Purcell <dpu...@ni...> wrote: > Are you using the HTTP inspect preprocessor? If so, what does your > http_inspect_server line look like? You may have to set the > http_inspect_server's flow_depth to zero if you're expecting the rule to > ring by downloading the eicar test virus from the website. > > Will Metcalf wrote: > > What version of snort-inline are you using? 2.4.4 and up attempt to > > remove the http headers from a scanned http payload. A while ago the > > clamav sig for eicar was tweaked to look for the eicar string in the > > beginning of the scanned descriptor/buffer to reduce fp's etc..... > > > > Regards, > > > > Will > > On 6/13/06, Eric Hines <eri...@ap...> wrote: > > > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA1 > >> > >>I have tried both toserveronly, and toclientonly. My current snort.conf: > >> > >>snort.conf > >>*********** > >>preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time > >>600, action-drop, toserveronly, file-descriptor-mode > >> > >> > >>snort_log > >>********* > >>ClamAV config: > >> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > >> Virus found action: DROP > >> Virus definitions dir: '/aw/var/lib/clamav' > >> Virus DB reload time: '600' > >> Scan only traffic to the server > >> File descriptor scanning mode: Enabled, using cl_scandesc > >> Directory for tempfiles (file descriptor mode): '/tmp' > >> > >> > >> > >> > >> > >> > >>Best Regards, > >> > >>Eric Hines, GCIA, CISSP > >>CEO, President > >>Applied Watch Technologies, LLC > >> > >> > >>- --------------------------------------------- > >> > >>Eric Hines, GCIA, CISSP > >>CEO, President > >>Applied Watch Technologies, LLC > >>1095 Pingree Road > >>Suite 213 > >>Crystal Lake, IL 60014 > >>Toll Free: (877) 262-7593 ext:327 > >>Direct: (847) 854-2725 ext:327 > >>Fax: (847) 854-5106 > >>Web: http://www.appliedwatch.com > >>Email: eri...@ap... > >> > >>- -------------------------------------------- > >> > >>"Enterprise Open Source Security Management" > >> > >> > >>Eric Hines wrote: > >> > >>>Will, et. al., > >>> > >>>We're finding that attempts to go to www.eicar.org and download several > >>>signature files, even the text file, is succeeding without alerts or > >>>prevention from ClamAV/Snort-Inline in front of our machines. > >>>Snort-Inline is not dropping the attempts nor even alerting to the traffic. > >>> > >>>Its allowing me to not only view Eicar test file but also save it to my HDD. > >>> > >>>Has anyone had this problem with the Eicar test file before using the > >>>ClamAV Preproc? (www.eicar.org) > >>> > >>> > >>>Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV > >>>itself? In searching the clamav-users ml archives, it seems it does have > >>>defs for the eicar test file, then perhaps its a problem with the > >>>Preproc or our configuration? Please advise. > >>> > >>> > >>> > >>> > >>>Best Regards, > >>> > >>>Eric Hines, GCIA, CISSP > >>>CEO, President > >>>Applied Watch Technologies, LLC > >>> > >>> > >>>--------------------------------------------- > >>> > >>>Eric Hines, GCIA, CISSP > >>>CEO, President > >>>Applied Watch Technologies, LLC > >>>1095 Pingree Road > >>>Suite 213 > >>>Crystal Lake, IL 60014 > >>>Toll Free: (877) 262-7593 ext:327 > >>>Direct: (847) 854-2725 ext:327 > >>>Fax: (847) 854-5106 > >>>Web: http://www.appliedwatch.com > >>>Email: eri...@ap... > >>> > >>>-------------------------------------------- > >>> > >>>"Enterprise Open Source Security Management" > >>> > >>> > >>>Will Metcalf wrote: > >>> > >>>>>hmm can you send the contents of your dhet.h file, it appears as if it > >>>>>is locating the file but the check for eth_set fails. > >>>>> > >>>>>On 6/12/06, Bill Warren <bw...@op...> wrote: > >>>>> > >>>>>>Hello, > >>>>>>I am trying to do a basic install of snort-incline 2.4.5. I am running > >>>>>>Debian Sarge with a 2.6 kernel on an Intel box. > >>>>>> > >>>>>>When I run: > >>>>>>./configure > >>>>>> > >>>>>>I get > >>>>>>checking for dnet.h... yes > >>>>>>checking for eth_set in -ldnet... no > >>>>>> > >>>>>> ERROR! Libdnet header not found, go get it from > >>>>>> http://libdnet.sourceforge.net or use the --with-dnet-* > >>>>>> options, if you have it installed in an unusual place > >>>>>> > >>>>>>I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. > >>>>>>When I did a find it is found here: > >>>>>> > >>>>>>/usr/local/include/dnet.h > >>>>>> > >>>>>> > >>>>>>Any ideas? > >>>>>>Thanks, > >>>>>>Bill > >>>>>> > >>>>>>-- > >>>>>> > >>>>>>Bill Warren > >>>>>> > >>>>>>Network Systems Administrator > >>>>>>Optivel, Inc. > >>>>>>317.275.2305 office > >>>>>>317.523.8468 cell > >>>>>>www.optivel.com > >>>>>> > >>>>>> > >>>>>> > >>>>>>_______________________________________________ > >>>>>>Snort-inline-users mailing list > >>>>>>Sno...@li... > >>>>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>>>>> > >>>>> > >>>>>_______________________________________________ > >>>>>Snort-inline-users mailing list > >>>>>Sno...@li... > >>>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>-----BEGIN PGP SIGNATURE----- > >>Version: GnuPG v1.4.2 (GNU/Linux) > >>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >> > >>iD8DBQFEj4DobOqF2QHgUK0RAk5bAJwJekmEUl/vssy5dwikqqEd9XfJEQCdEhFv > >>Y5Lwm+PFTC+szbk0N61z4do= > >>=fkrj > >>-----END PGP SIGNATURE----- > >> > > > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-06-15 18:52:46
|
Sorry to all the list i'm having problems with my mail program (sylpheed-claws), now i'm back with evolution ... thank you Will the problem was resolved as you suggest adding: iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUTPUT -j QUEUE so that snort_inline can see all the traffic involved thank you very much for your help! keep going on the great work!!! .mike |
|
From: <bio...@gm...>
<bio...@gm...> - 2006-06-15 18:39:31
|
yes! thank you so much! i've brutally added: iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUTPUT -j QUEUE just after the policy rules so now snort_inline watches all the traffic thank you again! keep going on that great work! .mike On Thu, 15 Jun 2006 12:35:46 -0500 "Will Metcalf" <wil...@gm...> wrote: > that probably means that snort_inline isn't seeing both the client and > server side of the tcp connection. for the flow: established rules to > work you need stream4 to see both the client and server side of the > conversation. > > On 6/15/06, bio...@gm... > <bio...@gm...> wrote: > > Hi all this is my first post, > > i'm mike i'm 26 and i live in rome, italy > > nice to meet you all! > > > > unfortunately that's an help request > > > > i'm running snort_inline 2.4.5 (build 29) on debian sarge > > given a rule like this: > > > > drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) > > > > it works only if i delete the flow 'established' > > > > by now working i intend that the packets passes and the attack is not logged > > > > yes, i've put 'config flowbits_size: 256' in my conf > > > > i've google around with no luck > > > > thanks in advance > > .mike > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: <bio...@gm...>
<bio...@gm...> - 2006-06-15 18:38:46
|
yes! thank you so much! i've brutally added: iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUTPUT -j QUEUE just after the policy rules so now snort_inline watches all the traffic thank you again! keep going on that great work! .mike On Thu, 15 Jun 2006 12:35:46 -0500 "Will Metcalf" <wil...@gm...> wrote: > that probably means that snort_inline isn't seeing both the client and > server side of the tcp connection. for the flow: established rules to > work you need stream4 to see both the client and server side of the > conversation. > > On 6/15/06, bio...@gm... > <bio...@gm...> wrote: > > Hi all this is my first post, > > i'm mike i'm 26 and i live in rome, italy > > nice to meet you all! > > > > unfortunately that's an help request > > > > i'm running snort_inline 2.4.5 (build 29) on debian sarge > > given a rule like this: > > > > drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) > > > > it works only if i delete the flow 'established' > > > > by now working i intend that the packets passes and the attack is not logged > > > > yes, i've put 'config flowbits_size: 256' in my conf > > > > i've google around with no luck > > > > thanks in advance > > .mike > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: <bio...@gm...>
<bio...@gm...> - 2006-06-15 18:27:03
|
yes i understand, so the problem could be that snort is on the same machine of the web server ? it's an iptables issue ? thank you very much i hope that i'll be able in future to help this community! On Thu, 15 Jun 2006 12:35:46 -0500 "Will Metcalf" <wil...@gm...> wrote: > that probably means that snort_inline isn't seeing both the client and > server side of the tcp connection. for the flow: established rules to > work you need stream4 to see both the client and server side of the > conversation. > > On 6/15/06, bio...@gm... > <bio...@gm...> wrote: > > Hi all this is my first post, > > i'm mike i'm 26 and i live in rome, italy > > nice to meet you all! > > > > unfortunately that's an help request > > > > i'm running snort_inline 2.4.5 (build 29) on debian sarge > > given a rule like this: > > > > drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) > > > > it works only if i delete the flow 'established' > > > > by now working i intend that the packets passes and the attack is not logged > > > > yes, i've put 'config flowbits_size: 256' in my conf > > > > i've google around with no luck > > > > thanks in advance > > .mike > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Will M. <wil...@gm...> - 2006-06-15 17:42:20
|
that probably means that snort_inline isn't seeing both the client and server side of the tcp connection. for the flow: established rules to work you need stream4 to see both the client and server side of the conversation. On 6/15/06, bio...@gm... <bio...@gm...> wrote: > Hi all this is my first post, > i'm mike i'm 26 and i live in rome, italy > nice to meet you all! > > unfortunately that's an help request > > i'm running snort_inline 2.4.5 (build 29) on debian sarge > given a rule like this: > > drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) > > it works only if i delete the flow 'established' > > by now working i intend that the packets passes and the attack is not logged > > yes, i've put 'config flowbits_size: 256' in my conf > > i've google around with no luck > > thanks in advance > .mike > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Eric H. <eri...@ap...> - 2006-06-15 14:28:31
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel,
Thanks for your input. Here is my lines in ORDER as they appear in our
snort.conf
preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time
600, action-drop, toclientonly, file-descriptor-mode
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server:server default profile all ports { 80
8080 8180 } oversize_dir_length 500
Best Regards,
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
- ---------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eri...@ap...
- --------------------------------------------
"Enterprise Open Source Security Management"
Daniel Purcell wrote:
> Are you using the HTTP inspect preprocessor? If so, what does your
> http_inspect_server line look like? You may have to set the
> http_inspect_server's flow_depth to zero if you're expecting the rule to
> ring by downloading the eicar test virus from the website.
>
> Will Metcalf wrote:
>> What version of snort-inline are you using? 2.4.4 and up attempt to
>> remove the http headers from a scanned http payload. A while ago the
>> clamav sig for eicar was tweaked to look for the eicar string in the
>> beginning of the scanned descriptor/buffer to reduce fp's etc.....
>>
>> Regards,
>>
>> Will
>> On 6/13/06, Eric Hines <eri...@ap...> wrote:
>>
> I have tried both toserveronly, and toclientonly. My current snort.conf:
>
> snort.conf
> ***********
> preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time
> 600, action-drop, toserveronly, file-descriptor-mode
>
>
> snort_log
> *********
> ClamAV config:
> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> Virus found action: DROP
> Virus definitions dir: '/aw/var/lib/clamav'
> Virus DB reload time: '600'
> Scan only traffic to the server
> File descriptor scanning mode: Enabled, using cl_scandesc
> Directory for tempfiles (file descriptor mode): '/tmp'
>
>
>
>
>
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
>
>
> ---------------------------------------------
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
> 1095 Pingree Road
> Suite 213
> Crystal Lake, IL 60014
> Toll Free: (877) 262-7593 ext:327
> Direct: (847) 854-2725 ext:327
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
> Email: eri...@ap...
>
> --------------------------------------------
>
> "Enterprise Open Source Security Management"
>
>
> Eric Hines wrote:
>
>>>>> Will, et. al.,
>>>>>
>>>>> We're finding that attempts to go to www.eicar.org and download several
>>>>> signature files, even the text file, is succeeding without alerts or
>>>>> prevention from ClamAV/Snort-Inline in front of our machines.
>>>>> Snort-Inline is not dropping the attempts nor even alerting to the
>>>>> traffic.
>>>>>
>>>>> Its allowing me to not only view Eicar test file but also save it to
>>>>> my HDD.
>>>>>
>>>>> Has anyone had this problem with the Eicar test file before using the
>>>>> ClamAV Preproc? (www.eicar.org)
>>>>>
>>>>>
>>>>> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV
>>>>> itself? In searching the clamav-users ml archives, it seems it does
>>>>> have
>>>>> defs for the eicar test file, then perhaps its a problem with the
>>>>> Preproc or our configuration? Please advise.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Eric Hines, GCIA, CISSP
>>>>> CEO, President
>>>>> Applied Watch Technologies, LLC
>>>>>
>>>>>
>>>>> ---------------------------------------------
>>>>>
>>>>> Eric Hines, GCIA, CISSP
>>>>> CEO, President
>>>>> Applied Watch Technologies, LLC
>>>>> 1095 Pingree Road
>>>>> Suite 213
>>>>> Crystal Lake, IL 60014
>>>>> Toll Free: (877) 262-7593 ext:327
>>>>> Direct: (847) 854-2725 ext:327
>>>>> Fax: (847) 854-5106
>>>>> Web: http://www.appliedwatch.com
>>>>> Email: eri...@ap...
>>>>>
>>>>> --------------------------------------------
>>>>>
>>>>> "Enterprise Open Source Security Management"
>>>>>
>>>>>
>>>>> Will Metcalf wrote:
>>>>>
>>>>>>> hmm can you send the contents of your dhet.h file, it appears as
>>>>>>> if it
>>>>>>> is locating the file but the check for eth_set fails.
>>>>>>>
>>>>>>> On 6/12/06, Bill Warren <bw...@op...> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>> I am trying to do a basic install of snort-incline 2.4.5. I am
>>>>>>>> running
>>>>>>>> Debian Sarge with a 2.6 kernel on an Intel box.
>>>>>>>>
>>>>>>>> When I run:
>>>>>>>> ./configure
>>>>>>>>
>>>>>>>> I get
>>>>>>>> checking for dnet.h... yes
>>>>>>>> checking for eth_set in -ldnet... no
>>>>>>>>
>>>>>>>> ERROR! Libdnet header not found, go get it from
>>>>>>>> http://libdnet.sourceforge.net or use the --with-dnet-*
>>>>>>>> options, if you have it installed in an unusual place
>>>>>>>>
>>>>>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net.
>>>>>>>> When I did a find it is found here:
>>>>>>>>
>>>>>>>> /usr/local/include/dnet.h
>>>>>>>>
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>> Thanks,
>>>>>>>> Bill
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Bill Warren
>>>>>>>>
>>>>>>>> Network Systems Administrator
>>>>>>>> Optivel, Inc.
>>>>>>>> 317.275.2305 office
>>>>>>>> 317.523.8468 cell
>>>>>>>> www.optivel.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Snort-inline-users mailing list
>>>>>>>> Sno...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Snort-inline-users mailing list
>>>>>>> Sno...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
>>
>>
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEkW7bbOqF2QHgUK0RAit1AKDcVPquANGosFOoBHAV2+upfajWtQCgrt4+
zGTuU+uW01IgyppHL9h+qfY=
=Qpsl
-----END PGP SIGNATURE-----
|
|
From: Eric H. <eri...@ap...> - 2006-06-15 14:22:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Will, Here's the info. I spoke to our developers and it seems we're using Snort with inline enabled. [root@localhost ~]# /aw/sbin/snort2.4 -V ,,_ -*> Snort! <*- o" )~ Version 2.4.4 (Build 28) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2005 Sourcefire Inc., et al. NOTE: Snort's default output has changed in version 2.4.1! The default logging mode is now PCAP, use "-K ascii" to activate the old default logging mode. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eri...@ap... - -------------------------------------------- "Enterprise Open Source Security Management" Will Metcalf wrote: > What version of snort-inline are you using? 2.4.4 and up attempt to > remove the http headers from a scanned http payload. A while ago the > clamav sig for eicar was tweaked to look for the eicar string in the > beginning of the scanned descriptor/buffer to reduce fp's etc..... > > Regards, > > Will > On 6/13/06, Eric Hines <eri...@ap...> wrote: > I have tried both toserveronly, and toclientonly. My current snort.conf: > > snort.conf > *********** > preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time > 600, action-drop, toserveronly, file-descriptor-mode > > > snort_log > ********* > ClamAV config: > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > Virus found action: DROP > Virus definitions dir: '/aw/var/lib/clamav' > Virus DB reload time: '600' > Scan only traffic to the server > File descriptor scanning mode: Enabled, using cl_scandesc > Directory for tempfiles (file descriptor mode): '/tmp' > > > > > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > > > --------------------------------------------- > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 213 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 ext:327 > Direct: (847) 854-2725 ext:327 > Fax: (847) 854-5106 > Web: http://www.appliedwatch.com > Email: eri...@ap... > > -------------------------------------------- > > "Enterprise Open Source Security Management" > > > Eric Hines wrote: >> Will, et. al., > >> We're finding that attempts to go to www.eicar.org and download several >> signature files, even the text file, is succeeding without alerts or >> prevention from ClamAV/Snort-Inline in front of our machines. >> Snort-Inline is not dropping the attempts nor even alerting to the > traffic. > >> Its allowing me to not only view Eicar test file but also save it to > my HDD. > >> Has anyone had this problem with the Eicar test file before using the >> ClamAV Preproc? (www.eicar.org) > > >> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV >> itself? In searching the clamav-users ml archives, it seems it does > have >> defs for the eicar test file, then perhaps its a problem with the >> Preproc or our configuration? Please advise. > > > > >> Best Regards, > >> Eric Hines, GCIA, CISSP >> CEO, President >> Applied Watch Technologies, LLC > > >> --------------------------------------------- > >> Eric Hines, GCIA, CISSP >> CEO, President >> Applied Watch Technologies, LLC >> 1095 Pingree Road >> Suite 213 >> Crystal Lake, IL 60014 >> Toll Free: (877) 262-7593 ext:327 >> Direct: (847) 854-2725 ext:327 >> Fax: (847) 854-5106 >> Web: http://www.appliedwatch.com >> Email: eri...@ap... > >> -------------------------------------------- > >> "Enterprise Open Source Security Management" > > >> Will Metcalf wrote: >>>> hmm can you send the contents of your dhet.h file, it appears as > if it >>>> is locating the file but the check for eth_set fails. >>>> >>>> On 6/12/06, Bill Warren <bw...@op...> wrote: >>>>> Hello, >>>>> I am trying to do a basic install of snort-incline 2.4.5. I am > running >>>>> Debian Sarge with a 2.6 kernel on an Intel box. >>>>> >>>>> When I run: >>>>> ./configure >>>>> >>>>> I get >>>>> checking for dnet.h... yes >>>>> checking for eth_set in -ldnet... no >>>>> >>>>> ERROR! Libdnet header not found, go get it from >>>>> http://libdnet.sourceforge.net or use the --with-dnet-* >>>>> options, if you have it installed in an unusual place >>>>> >>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. >>>>> When I did a find it is found here: >>>>> >>>>> /usr/local/include/dnet.h >>>>> >>>>> >>>>> Any ideas? >>>>> Thanks, >>>>> Bill >>>>> >>>>> -- >>>>> >>>>> Bill Warren >>>>> >>>>> Network Systems Administrator >>>>> Optivel, Inc. >>>>> 317.275.2305 office >>>>> 317.523.8468 cell >>>>> www.optivel.com >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Snort-inline-users mailing list >>>>> Sno...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>>> >>>> >>>> _______________________________________________ >>>> Snort-inline-users mailing list >>>> Sno...@li... >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEkW1mbOqF2QHgUK0RArnrAJ0WuXGSQWYoIeayedFQID5m2kyFUwCgpO2f CDJLXKakRUs4MH5gMw8B0UI= =LEnx -----END PGP SIGNATURE----- |
|
From: <bio...@gm...>
<bio...@gm...> - 2006-06-15 13:57:44
|
Hi all this is my first post, i'm mike i'm 26 and i live in rome, italy nice to meet you all! unfortunately that's an help request i'm running snort_inline 2.4.5 (build 29) on debian sarge given a rule like this: drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) it works only if i delete the flow 'established' by now working i intend that the packets passes and the attack is not logged yes, i've put 'config flowbits_size: 256' in my conf i've google around with no luck thanks in advance .mike |
|
From: Daniel P. <dpu...@ni...> - 2006-06-15 00:02:48
|
Are you using the HTTP inspect preprocessor? If so, what does your http_inspect_server line look like? You may have to set the http_inspect_server's flow_depth to zero if you're expecting the rule to ring by downloading the eicar test virus from the website. Will Metcalf wrote: > What version of snort-inline are you using? 2.4.4 and up attempt to > remove the http headers from a scanned http payload. A while ago the > clamav sig for eicar was tweaked to look for the eicar string in the > beginning of the scanned descriptor/buffer to reduce fp's etc..... > > Regards, > > Will > On 6/13/06, Eric Hines <eri...@ap...> wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>I have tried both toserveronly, and toclientonly. My current snort.conf: >> >>snort.conf >>*********** >>preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time >>600, action-drop, toserveronly, file-descriptor-mode >> >> >>snort_log >>********* >>ClamAV config: >> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... >> Virus found action: DROP >> Virus definitions dir: '/aw/var/lib/clamav' >> Virus DB reload time: '600' >> Scan only traffic to the server >> File descriptor scanning mode: Enabled, using cl_scandesc >> Directory for tempfiles (file descriptor mode): '/tmp' >> >> >> >> >> >> >>Best Regards, >> >>Eric Hines, GCIA, CISSP >>CEO, President >>Applied Watch Technologies, LLC >> >> >>- --------------------------------------------- >> >>Eric Hines, GCIA, CISSP >>CEO, President >>Applied Watch Technologies, LLC >>1095 Pingree Road >>Suite 213 >>Crystal Lake, IL 60014 >>Toll Free: (877) 262-7593 ext:327 >>Direct: (847) 854-2725 ext:327 >>Fax: (847) 854-5106 >>Web: http://www.appliedwatch.com >>Email: eri...@ap... >> >>- -------------------------------------------- >> >>"Enterprise Open Source Security Management" >> >> >>Eric Hines wrote: >> >>>Will, et. al., >>> >>>We're finding that attempts to go to www.eicar.org and download several >>>signature files, even the text file, is succeeding without alerts or >>>prevention from ClamAV/Snort-Inline in front of our machines. >>>Snort-Inline is not dropping the attempts nor even alerting to the traffic. >>> >>>Its allowing me to not only view Eicar test file but also save it to my HDD. >>> >>>Has anyone had this problem with the Eicar test file before using the >>>ClamAV Preproc? (www.eicar.org) >>> >>> >>>Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV >>>itself? In searching the clamav-users ml archives, it seems it does have >>>defs for the eicar test file, then perhaps its a problem with the >>>Preproc or our configuration? Please advise. >>> >>> >>> >>> >>>Best Regards, >>> >>>Eric Hines, GCIA, CISSP >>>CEO, President >>>Applied Watch Technologies, LLC >>> >>> >>>--------------------------------------------- >>> >>>Eric Hines, GCIA, CISSP >>>CEO, President >>>Applied Watch Technologies, LLC >>>1095 Pingree Road >>>Suite 213 >>>Crystal Lake, IL 60014 >>>Toll Free: (877) 262-7593 ext:327 >>>Direct: (847) 854-2725 ext:327 >>>Fax: (847) 854-5106 >>>Web: http://www.appliedwatch.com >>>Email: eri...@ap... >>> >>>-------------------------------------------- >>> >>>"Enterprise Open Source Security Management" >>> >>> >>>Will Metcalf wrote: >>> >>>>>hmm can you send the contents of your dhet.h file, it appears as if it >>>>>is locating the file but the check for eth_set fails. >>>>> >>>>>On 6/12/06, Bill Warren <bw...@op...> wrote: >>>>> >>>>>>Hello, >>>>>>I am trying to do a basic install of snort-incline 2.4.5. I am running >>>>>>Debian Sarge with a 2.6 kernel on an Intel box. >>>>>> >>>>>>When I run: >>>>>>./configure >>>>>> >>>>>>I get >>>>>>checking for dnet.h... yes >>>>>>checking for eth_set in -ldnet... no >>>>>> >>>>>> ERROR! Libdnet header not found, go get it from >>>>>> http://libdnet.sourceforge.net or use the --with-dnet-* >>>>>> options, if you have it installed in an unusual place >>>>>> >>>>>>I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. >>>>>>When I did a find it is found here: >>>>>> >>>>>>/usr/local/include/dnet.h >>>>>> >>>>>> >>>>>>Any ideas? >>>>>>Thanks, >>>>>>Bill >>>>>> >>>>>>-- >>>>>> >>>>>>Bill Warren >>>>>> >>>>>>Network Systems Administrator >>>>>>Optivel, Inc. >>>>>>317.275.2305 office >>>>>>317.523.8468 cell >>>>>>www.optivel.com >>>>>> >>>>>> >>>>>> >>>>>>_______________________________________________ >>>>>>Snort-inline-users mailing list >>>>>>Sno...@li... >>>>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>>>> >>>>> >>>>>_______________________________________________ >>>>>Snort-inline-users mailing list >>>>>Sno...@li... >>>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.4.2 (GNU/Linux) >>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >>iD8DBQFEj4DobOqF2QHgUK0RAk5bAJwJekmEUl/vssy5dwikqqEd9XfJEQCdEhFv >>Y5Lwm+PFTC+szbk0N61z4do= >>=fkrj >>-----END PGP SIGNATURE----- >> > > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Will M. <wil...@gm...> - 2006-06-14 15:41:01
|
What version of snort-inline are you using? 2.4.4 and up attempt to remove the http headers from a scanned http payload. A while ago the clamav sig for eicar was tweaked to look for the eicar string in the beginning of the scanned descriptor/buffer to reduce fp's etc..... Regards, Will On 6/13/06, Eric Hines <eri...@ap...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have tried both toserveronly, and toclientonly. My current snort.conf: > > snort.conf > *********** > preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time > 600, action-drop, toserveronly, file-descriptor-mode > > > snort_log > ********* > ClamAV config: > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > Virus found action: DROP > Virus definitions dir: '/aw/var/lib/clamav' > Virus DB reload time: '600' > Scan only traffic to the server > File descriptor scanning mode: Enabled, using cl_scandesc > Directory for tempfiles (file descriptor mode): '/tmp' > > > > > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > > > - --------------------------------------------- > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 213 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 ext:327 > Direct: (847) 854-2725 ext:327 > Fax: (847) 854-5106 > Web: http://www.appliedwatch.com > Email: eri...@ap... > > - -------------------------------------------- > > "Enterprise Open Source Security Management" > > > Eric Hines wrote: > > Will, et. al., > > > > We're finding that attempts to go to www.eicar.org and download several > > signature files, even the text file, is succeeding without alerts or > > prevention from ClamAV/Snort-Inline in front of our machines. > > Snort-Inline is not dropping the attempts nor even alerting to the traffic. > > > > Its allowing me to not only view Eicar test file but also save it to my HDD. > > > > Has anyone had this problem with the Eicar test file before using the > > ClamAV Preproc? (www.eicar.org) > > > > > > Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV > > itself? In searching the clamav-users ml archives, it seems it does have > > defs for the eicar test file, then perhaps its a problem with the > > Preproc or our configuration? Please advise. > > > > > > > > > > Best Regards, > > > > Eric Hines, GCIA, CISSP > > CEO, President > > Applied Watch Technologies, LLC > > > > > > --------------------------------------------- > > > > Eric Hines, GCIA, CISSP > > CEO, President > > Applied Watch Technologies, LLC > > 1095 Pingree Road > > Suite 213 > > Crystal Lake, IL 60014 > > Toll Free: (877) 262-7593 ext:327 > > Direct: (847) 854-2725 ext:327 > > Fax: (847) 854-5106 > > Web: http://www.appliedwatch.com > > Email: eri...@ap... > > > > -------------------------------------------- > > > > "Enterprise Open Source Security Management" > > > > > > Will Metcalf wrote: > >>> hmm can you send the contents of your dhet.h file, it appears as if it > >>> is locating the file but the check for eth_set fails. > >>> > >>> On 6/12/06, Bill Warren <bw...@op...> wrote: > >>>> Hello, > >>>> I am trying to do a basic install of snort-incline 2.4.5. I am running > >>>> Debian Sarge with a 2.6 kernel on an Intel box. > >>>> > >>>> When I run: > >>>> ./configure > >>>> > >>>> I get > >>>> checking for dnet.h... yes > >>>> checking for eth_set in -ldnet... no > >>>> > >>>> ERROR! Libdnet header not found, go get it from > >>>> http://libdnet.sourceforge.net or use the --with-dnet-* > >>>> options, if you have it installed in an unusual place > >>>> > >>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. > >>>> When I did a find it is found here: > >>>> > >>>> /usr/local/include/dnet.h > >>>> > >>>> > >>>> Any ideas? > >>>> Thanks, > >>>> Bill > >>>> > >>>> -- > >>>> > >>>> Bill Warren > >>>> > >>>> Network Systems Administrator > >>>> Optivel, Inc. > >>>> 317.275.2305 office > >>>> 317.523.8468 cell > >>>> www.optivel.com > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Snort-inline-users mailing list > >>>> Sno...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>>> > >>> > >>> _______________________________________________ > >>> Snort-inline-users mailing list > >>> Sno...@li... > >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFEj4DobOqF2QHgUK0RAk5bAJwJekmEUl/vssy5dwikqqEd9XfJEQCdEhFv > Y5Lwm+PFTC+szbk0N61z4do= > =fkrj > -----END PGP SIGNATURE----- > |
|
From: Victor J. <vi...@nk...> - 2006-06-14 11:12:31
|
Eric, please don't use an existing thread for a new subject, it messes up the way e-mail programs group messages. > We're finding that attempts to go to www.eicar.org and download several > signature files, even the text file, is succeeding without alerts or > prevention from ClamAV/Snort-Inline in front of our machines. > Snort-Inline is not dropping the attempts nor even alerting to the traffic. > > Its allowing me to not only view Eicar test file but also save it to my HDD. > > Has anyone had this problem with the Eicar test file before using the > ClamAV Preproc? (www.eicar.org) > > > Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV > itself? In searching the clamav-users ml archives, it seems it does have > defs for the eicar test file, then perhaps its a problem with the > Preproc or our configuration? Please advise. It is a problem with Snort_inline + Clamav. The guys from ClamAV changed their eicar signature a while ago, making sure it only matches when the eicar string is on the start of a buffer. The ClamAV preproc scans raw data, so in its buffer are http headers as well. This causes Snort_inline + ClamAV to not match on eicar. For example ftp should work. In Snort_inline 2.4.4 however, we added some http header parsing so the header should no longer be in the buffer and eicar should be detected again. Which version of snort_inline are you using? Regards, Victor |
|
From: Eric H. <eri...@ap...> - 2006-06-14 03:20:57
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have tried both toserveronly, and toclientonly. My current snort.conf:
snort.conf
***********
preprocessor clamav: ports all, dbdir /aw/var/lib/clamav, dbreload-time
600, action-drop, toserveronly, file-descriptor-mode
snort_log
*********
ClamAV config:
Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Virus found action: DROP
Virus definitions dir: '/aw/var/lib/clamav'
Virus DB reload time: '600'
Scan only traffic to the server
File descriptor scanning mode: Enabled, using cl_scandesc
Directory for tempfiles (file descriptor mode): '/tmp'
Best Regards,
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
- ---------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eri...@ap...
- --------------------------------------------
"Enterprise Open Source Security Management"
Eric Hines wrote:
> Will, et. al.,
>
> We're finding that attempts to go to www.eicar.org and download several
> signature files, even the text file, is succeeding without alerts or
> prevention from ClamAV/Snort-Inline in front of our machines.
> Snort-Inline is not dropping the attempts nor even alerting to the traffic.
>
> Its allowing me to not only view Eicar test file but also save it to my HDD.
>
> Has anyone had this problem with the Eicar test file before using the
> ClamAV Preproc? (www.eicar.org)
>
>
> Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV
> itself? In searching the clamav-users ml archives, it seems it does have
> defs for the eicar test file, then perhaps its a problem with the
> Preproc or our configuration? Please advise.
>
>
>
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
>
>
> ---------------------------------------------
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
> 1095 Pingree Road
> Suite 213
> Crystal Lake, IL 60014
> Toll Free: (877) 262-7593 ext:327
> Direct: (847) 854-2725 ext:327
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
> Email: eri...@ap...
>
> --------------------------------------------
>
> "Enterprise Open Source Security Management"
>
>
> Will Metcalf wrote:
>>> hmm can you send the contents of your dhet.h file, it appears as if it
>>> is locating the file but the check for eth_set fails.
>>>
>>> On 6/12/06, Bill Warren <bw...@op...> wrote:
>>>> Hello,
>>>> I am trying to do a basic install of snort-incline 2.4.5. I am running
>>>> Debian Sarge with a 2.6 kernel on an Intel box.
>>>>
>>>> When I run:
>>>> ./configure
>>>>
>>>> I get
>>>> checking for dnet.h... yes
>>>> checking for eth_set in -ldnet... no
>>>>
>>>> ERROR! Libdnet header not found, go get it from
>>>> http://libdnet.sourceforge.net or use the --with-dnet-*
>>>> options, if you have it installed in an unusual place
>>>>
>>>> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net.
>>>> When I did a find it is found here:
>>>>
>>>> /usr/local/include/dnet.h
>>>>
>>>>
>>>> Any ideas?
>>>> Thanks,
>>>> Bill
>>>>
>>>> --
>>>>
>>>> Bill Warren
>>>>
>>>> Network Systems Administrator
>>>> Optivel, Inc.
>>>> 317.275.2305 office
>>>> 317.523.8468 cell
>>>> www.optivel.com
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>>
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEj4DobOqF2QHgUK0RAk5bAJwJekmEUl/vssy5dwikqqEd9XfJEQCdEhFv
Y5Lwm+PFTC+szbk0N61z4do=
=fkrj
-----END PGP SIGNATURE-----
|
|
From: Eric H. <eri...@ap...> - 2006-06-14 02:59:23
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Will, et. al., We're finding that attempts to go to www.eicar.org and download several signature files, even the text file, is succeeding without alerts or prevention from ClamAV/Snort-Inline in front of our machines. Snort-Inline is not dropping the attempts nor even alerting to the traffic. Its allowing me to not only view Eicar test file but also save it to my HDD. Has anyone had this problem with the Eicar test file before using the ClamAV Preproc? (www.eicar.org) Is this a problem with the ClamAV Preproc + Snort-Inline or ClamAV itself? In searching the clamav-users ml archives, it seems it does have defs for the eicar test file, then perhaps its a problem with the Preproc or our configuration? Please advise. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eri...@ap... - -------------------------------------------- "Enterprise Open Source Security Management" Will Metcalf wrote: > hmm can you send the contents of your dhet.h file, it appears as if it > is locating the file but the check for eth_set fails. > > On 6/12/06, Bill Warren <bw...@op...> wrote: >> Hello, >> I am trying to do a basic install of snort-incline 2.4.5. I am running >> Debian Sarge with a 2.6 kernel on an Intel box. >> >> When I run: >> ./configure >> >> I get >> checking for dnet.h... yes >> checking for eth_set in -ldnet... no >> >> ERROR! Libdnet header not found, go get it from >> http://libdnet.sourceforge.net or use the --with-dnet-* >> options, if you have it installed in an unusual place >> >> I have downloaded libdnet-1.11 from http://libdnet.sourceforge.net. >> When I did a find it is found here: >> >> /usr/local/include/dnet.h >> >> >> Any ideas? >> Thanks, >> Bill >> >> -- >> >> Bill Warren >> >> Network Systems Administrator >> Optivel, Inc. >> 317.275.2305 office >> 317.523.8468 cell >> www.optivel.com >> >> >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEj3vWbOqF2QHgUK0RAoarAJ972Zm6xtDOhxMF9AuS3sbM0E2Q+gCfbrF5 oWGq8Bso0XgtueCxKb1R2bY= =W2oU -----END PGP SIGNATURE----- |
133 messages has been excluded from this view by a project administrator.
