Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Victor J. <li...@in...> - 2007-05-14 20:06:50
|
Thanks to the SourceFire team for this release! I have just updated the Snort_inline SVN tree to 2.6.1.5 as well. For an overview of the differences between Snort and Snort_inline, please see my blogpost on the subject: http://www.inliniac.net/blog/?p=74 Regards, Victor Snort Releases wrote: > Hi everybody, > > Snort v2.6.1.5 has been released. The software and source code is > available at: http://snort.org/dl/ > > Snort v2.6.1.5 includes: > > * A new http_post rule keyword used to search for content in normalized > HTTP posts > * A fix for a potential memory leak when generating HTTP Inspection events > > NOTE: In the default configuration, the http_inspect preprocessor will > generate informational events on normalized HTTP POST data. To disable > these events, refer to the Snort Manual. > > Happy Snorting! > > The Snort Release Team > Sourcefire, Inc. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-users mailing list > Sno...@li... > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > |
|
From: Victor J. <li...@in...> - 2007-04-29 09:42:25
|
Muhammad Najmi Ahmad Zabidi wrote: > > hello > > i tried to install snort-inline on my debian etch(4.0) using source > 2.4.5 and previously 2.6(beta) but it comes out i got this error: > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or > use the --with-dnet-* > options, if you have it installed in an unusual place > > btw, say i put the libdnet sources in > > /usr/src/libdnet (or $HOME/libdnet etc), > do I've to address > > ./configure --with-dnet=/usr/src/libdnet ? > > since i saw dnet-config in the libdnet sources. > from the error here: > > ./configure: line 8577: dnet-config: command not found > ./configure: line 8579: dnet-config: command not found > I think the 'dnet-config' command needs to be in the PATH right now. We should fix this in the configure script I think... Cheers, Victor |
|
From: Muhammad N. A. Z. <naj...@gm...> - 2007-04-29 06:32:51
|
hello i tried to install snort-inline on my debian etch(4.0) using source 2.4.5and previously 2.6(beta) but it comes out i got this error: ERROR! Libdnet header not found, go get it from http://libdnet.sourceforge.net or use the --with-dnet-* options, if you have it installed in an unusual place btw, say i put the libdnet sources in /usr/src/libdnet (or $HOME/libdnet etc), do I've to address ./configure --with-dnet=/usr/src/libdnet ? since i saw dnet-config in the libdnet sources. from the error here: ./configure: line 8577: dnet-config: command not found ./configure: line 8579: dnet-config: command not found Thanks. |
|
From: Roman G. <sl...@sl...> - 2007-04-23 11:51:21
|
> > Hello, > > Trunking is a word used by Cisco Systems. > It used the normalized 802.1Q protocol .(In the past Cisco used ISL) > You need to use 802.1Q when you want to propagate several VLANs > inside a network link. > > REgards > > Troopy > > ********************** > Open Your Mind! > http://www.openmaniak.com > > > ---------- Original Message ---------------------------------- > From: "Roman Glebov" <sl...@sl...> > Reply-To: sl...@sl... > Date: Sun, 22 Apr 2007 10:05:09 -0000 (UTC) > >> >>Yes, there are vlans and everything on that network. >> >>And linux bridge should be there completely transparent and forward every >>possible packet/protocol. >> >>It looks like it does not do it somehow. >> >>hmm >> >>Roman Glebov >> >>P.S What does trunking mean? >> >>> Are you trunking and using vlans? >>> >>> Regards, >>> >>> Will >>> >>> On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >>>> i did a test . i have one cisco device before the bridge >>>> and second cisco device after the bridge. >>>> >>>> the first sends the bpdu packets all the time, which are never >>>> received >>>> by >>>> the second one after the bridge. >>>> my stp on the bridge is off because it should not participate but >>>> simple >>>> forward all of the traffik. >>>> >>>> > hmmmm you will not see bpdu's in snort-inline. What makes you think >>>> they >>>> > are >>>> > not being passed? Do you have stp enabled on the bridge? >>>> > >>>> > Regards, >>>> > >>>> > Will >>>> > >>>> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >> >>>> >> Sorry, i forgought to tell >>>> >> It is simple bridge with stp off: >>>> >> >>>> >> brctl addbr br0 >>>> >> brctl addif eth0 >>>> >> brctl addif eth1 >>>> >> >>>> >> ifconfig br0 up >>>> >> >>>> >> br0 eth0 eth1 have no adresses. >>>> >> >>>> >> I am using debian unstable kernel : >>>> >> 2.6.18-4-686 >>>> >> >>>> >> With regards Roman Glebov >>>> >> >>>> >> >>>> >> > what does your bridge configuration look like? >>>> >> > >>>> >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >> >> >>>> >> >> Hallo! >>>> >> >> >>>> >> >> I found recently out that snort inline or the bridge are not >>>> >> forwarding >>>> >> >> any bpdu packets! >>>> >> >> >>>> >> >> >>>> >> >> Is this a known problem or a missconfiguration ? >>>> >> >> >>>> >> >> Roman Glebov >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >>>> ------------------------------------------------------------------------- >>>> >> >> This SF.net email is sponsored by DB2 Express >>>> >> >> Download DB2 Express C - the FREE version of DB2 express and >>>> take >>>> >> >> control of your XML. No limits. Just data. Click to get it now. >>>> >> >> http://sourceforge.net/powerbar/db2/ >>>> >> >> _______________________________________________ >>>> >> >> Snort-inline-users mailing list >>>> >> >> Sno...@li... >>>> >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> >> >> >>>> >> > >>>> >> >>>> >> >>>> > >>>> >>>> >>> >> >> >>------------------------------------------------------------------------- >>This SF.net email is sponsored by DB2 Express >>Download DB2 Express C - the FREE version of DB2 express and take >>control of your XML. No limits. Just data. Click to get it now. >>http://sourceforge.net/powerbar/db2/ >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > > > ______________________________________________________ > Désirez vous une adresse éléctronique @suisse.com? > Visitez la Suisse virtuelle sur http://www.suisse.com > > I think i have a patch for linux kernel to enable "stealthy" bridge. It simply disables that stp packets have separate handling. as result you get sort of a stealthy bridge with broken stp I will try if it works. Cheers, Roman Glebov |
|
From: Roman G. <sl...@sl...> - 2007-04-23 07:53:28
|
> > Hello, > > Trunking is a word used by Cisco Systems. > It used the normalized 802.1Q protocol .(In the past Cisco used ISL) > You need to use 802.1Q when you want to propagate several VLANs > inside a network link. > > REgards > > Troopy > > ********************** > Open Your Mind! > http://www.openmaniak.com > > > ---------- Original Message ---------------------------------- > From: "Roman Glebov" <sl...@sl...> > Reply-To: sl...@sl... > Date: Sun, 22 Apr 2007 10:05:09 -0000 (UTC) > >> >>Yes, there are vlans and everything on that network. >> >>And linux bridge should be there completely transparent and forward every >>possible packet/protocol. >> >>It looks like it does not do it somehow. >> >>hmm >> >>Roman Glebov >> >>P.S What does trunking mean? >> >>> Are you trunking and using vlans? >>> >>> Regards, >>> >>> Will >>> >>> On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >>>> i did a test . i have one cisco device before the bridge >>>> and second cisco device after the bridge. >>>> >>>> the first sends the bpdu packets all the time, which are never >>>> received >>>> by >>>> the second one after the bridge. >>>> my stp on the bridge is off because it should not participate but >>>> simple >>>> forward all of the traffik. >>>> >>>> > hmmmm you will not see bpdu's in snort-inline. What makes you think >>>> they >>>> > are >>>> > not being passed? Do you have stp enabled on the bridge? >>>> > >>>> > Regards, >>>> > >>>> > Will >>>> > >>>> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >> >>>> >> Sorry, i forgought to tell >>>> >> It is simple bridge with stp off: >>>> >> >>>> >> brctl addbr br0 >>>> >> brctl addif eth0 >>>> >> brctl addif eth1 >>>> >> >>>> >> ifconfig br0 up >>>> >> >>>> >> br0 eth0 eth1 have no adresses. >>>> >> >>>> >> I am using debian unstable kernel : >>>> >> 2.6.18-4-686 >>>> >> >>>> >> With regards Roman Glebov >>>> >> >>>> >> >>>> >> > what does your bridge configuration look like? >>>> >> > >>>> >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >>>> >> >> >>>> >> >> Hallo! >>>> >> >> >>>> >> >> I found recently out that snort inline or the bridge are not >>>> >> forwarding >>>> >> >> any bpdu packets! >>>> >> >> >>>> >> >> >>>> >> >> Is this a known problem or a missconfiguration ? >>>> >> >> >>>> >> >> Roman Glebov >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >>>> ------------------------------------------------------------------------- >>>> >> >> This SF.net email is sponsored by DB2 Express >>>> >> >> Download DB2 Express C - the FREE version of DB2 express and >>>> take >>>> >> >> control of your XML. No limits. Just data. Click to get it now. >>>> >> >> http://sourceforge.net/powerbar/db2/ >>>> >> >> _______________________________________________ >>>> >> >> Snort-inline-users mailing list >>>> >> >> Sno...@li... >>>> >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> >> >> >>>> >> > >>>> >> >>>> >> >>>> > >>>> >>>> >>> >> >> >>------------------------------------------------------------------------- >>This SF.net email is sponsored by DB2 Express >>Download DB2 Express C - the FREE version of DB2 express and take >>control of your XML. No limits. Just data. Click to get it now. >>http://sourceforge.net/powerbar/db2/ >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > > > ______________________________________________________ > Désirez vous une adresse éléctronique @suisse.com? > Visitez la Suisse virtuelle sur http://www.suisse.com > > looks like the problem lays in the bridge implementation of the linux kernel. linux bridge does not forward bpdu packets , but only a) drops them when stp is off, of b) consumes them when stp is on and sends own packets with own mac address , which makes the bridge detectable! There is nothing you can do about it without hacking on the kernel. With regards, Roman Glebov |
|
From: Roman G. <sl...@sl...> - 2007-04-22 08:02:35
|
Yes, there are vlans and everything on that network. And linux bridge should be there completely transparent and forward every possible packet/protocol. It looks like it does not do it somehow. hmm Roman Glebov P.S What does trunking mean? > Are you trunking and using vlans? > > Regards, > > Will > > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> i did a test . i have one cisco device before the bridge >> and second cisco device after the bridge. >> >> the first sends the bpdu packets all the time, which are never received >> by >> the second one after the bridge. >> my stp on the bridge is off because it should not participate but simple >> forward all of the traffik. >> >> > hmmmm you will not see bpdu's in snort-inline. What makes you think >> they >> > are >> > not being passed? Do you have stp enabled on the bridge? >> > >> > Regards, >> > >> > Will >> > >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> >> >> Sorry, i forgought to tell >> >> It is simple bridge with stp off: >> >> >> >> brctl addbr br0 >> >> brctl addif eth0 >> >> brctl addif eth1 >> >> >> >> ifconfig br0 up >> >> >> >> br0 eth0 eth1 have no adresses. >> >> >> >> I am using debian unstable kernel : >> >> 2.6.18-4-686 >> >> >> >> With regards Roman Glebov >> >> >> >> >> >> > what does your bridge configuration look like? >> >> > >> >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> >> >> >> >> Hallo! >> >> >> >> >> >> I found recently out that snort inline or the bridge are not >> >> forwarding >> >> >> any bpdu packets! >> >> >> >> >> >> >> >> >> Is this a known problem or a missconfiguration ? >> >> >> >> >> >> Roman Glebov >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> This SF.net email is sponsored by DB2 Express >> >> >> Download DB2 Express C - the FREE version of DB2 express and take >> >> >> control of your XML. No limits. Just data. Click to get it now. >> >> >> http://sourceforge.net/powerbar/db2/ >> >> >> _______________________________________________ >> >> >> Snort-inline-users mailing list >> >> >> Sno...@li... >> >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> >> > >> >> >> >> >> > >> >> > |
|
From: Will M. <wil...@gm...> - 2007-04-22 02:02:11
|
Are you trunking and using vlans? Regards, Will On 4/21/07, Roman Glebov <sl...@sl...> wrote: > > i did a test . i have one cisco device before the bridge > and second cisco device after the bridge. > > the first sends the bpdu packets all the time, which are never received by > the second one after the bridge. > my stp on the bridge is off because it should not participate but simple > forward all of the traffik. > > > hmmmm you will not see bpdu's in snort-inline. What makes you think they > > are > > not being passed? Do you have stp enabled on the bridge? > > > > Regards, > > > > Will > > > > On 4/21/07, Roman Glebov <sl...@sl...> wrote: > >> > >> Sorry, i forgought to tell > >> It is simple bridge with stp off: > >> > >> brctl addbr br0 > >> brctl addif eth0 > >> brctl addif eth1 > >> > >> ifconfig br0 up > >> > >> br0 eth0 eth1 have no adresses. > >> > >> I am using debian unstable kernel : > >> 2.6.18-4-686 > >> > >> With regards Roman Glebov > >> > >> > >> > what does your bridge configuration look like? > >> > > >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: > >> >> > >> >> Hallo! > >> >> > >> >> I found recently out that snort inline or the bridge are not > >> forwarding > >> >> any bpdu packets! > >> >> > >> >> > >> >> Is this a known problem or a missconfiguration ? > >> >> > >> >> Roman Glebov > >> >> > >> >> > >> >> > >> > ------------------------------------------------------------------------- > >> >> This SF.net email is sponsored by DB2 Express > >> >> Download DB2 Express C - the FREE version of DB2 express and take > >> >> control of your XML. No limits. Just data. Click to get it now. > >> >> http://sourceforge.net/powerbar/db2/ > >> >> _______________________________________________ > >> >> Snort-inline-users mailing list > >> >> Sno...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> >> > >> > > >> > >> > > > > |
|
From: Will M. <wil...@gm...> - 2007-04-21 22:46:26
|
Nice work! Regards, Will On 4/21/07, Michael Rash <mb...@ci...> wrote: > > Hi all - > > I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and > this release includes the ability to change a "default QUEUE" iptables > policy to "QUEUE only those packets that match a content or uricontent > signature keyword". I have not done a lot of extensive testing yet, > but some preliminary performance results are encouraging. For example, > the throughput increased by 57% using this strategy for the following > simplistic signature (that is just designed to get snort_inline to > inspect every TCP packet regardless of port number): > > alert tcp any any -> any any (msg:"fwsnort download"; content: \ > "fwsnort/download"; classtype:web-application-attack; sid:12325678; > rev:1;) > > There are some tradeoffs of course (lack of stream reassembly and > inability to do application layer decoding for example), but in high > throughput scenarios these disadvantages may be worth it. Snort_inline > can still run other complex tests (pcre, byte_test, etc.) over packets > that are queued to userspace. > > Here is a blog posting that includes some preliminary results for the > signature above (using netperf for throughput testing): > > > http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html > > Feedback is welcome. > > -- > Michael Rash > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Roman G. <sl...@sl...> - 2007-04-21 20:18:41
|
i did a test . i have one cisco device before the bridge and second cisco device after the bridge. the first sends the bpdu packets all the time, which are never received by the second one after the bridge. my stp on the bridge is off because it should not participate but simple forward all of the traffik. > hmmmm you will not see bpdu's in snort-inline. What makes you think they > are > not being passed? Do you have stp enabled on the bridge? > > Regards, > > Will > > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> Sorry, i forgought to tell >> It is simple bridge with stp off: >> >> brctl addbr br0 >> brctl addif eth0 >> brctl addif eth1 >> >> ifconfig br0 up >> >> br0 eth0 eth1 have no adresses. >> >> I am using debian unstable kernel : >> 2.6.18-4-686 >> >> With regards Roman Glebov >> >> >> > what does your bridge configuration look like? >> > >> > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> >> >> Hallo! >> >> >> >> I found recently out that snort inline or the bridge are not >> forwarding >> >> any bpdu packets! >> >> >> >> >> >> Is this a known problem or a missconfiguration ? >> >> >> >> Roman Glebov >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> This SF.net email is sponsored by DB2 Express >> >> Download DB2 Express C - the FREE version of DB2 express and take >> >> control of your XML. No limits. Just data. Click to get it now. >> >> http://sourceforge.net/powerbar/db2/ >> >> _______________________________________________ >> >> Snort-inline-users mailing list >> >> Sno...@li... >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > >> >> > |
|
From: Michael R. <mb...@ci...> - 2007-04-21 19:47:45
|
Hi all - I have released fwsnort-1.0 (http://www.cipherdyne.org/fwsnort), and this release includes the ability to change a "default QUEUE" iptables policy to "QUEUE only those packets that match a content or uricontent signature keyword". I have not done a lot of extensive testing yet, but some preliminary performance results are encouraging. For example, the throughput increased by 57% using this strategy for the following simplistic signature (that is just designed to get snort_inline to inspect every TCP packet regardless of port number): alert tcp any any -> any any (msg:"fwsnort download"; content: \ "fwsnort/download"; classtype:web-application-attack; sid:12325678; rev:1;) There are some tradeoffs of course (lack of stream reassembly and inability to do application layer decoding for example), but in high throughput scenarios these disadvantages may be worth it. Snort_inline can still run other complex tests (pcre, byte_test, etc.) over packets that are queued to userspace. Here is a blog posting that includes some preliminary results for the signature above (using netperf for throughput testing): http://michaelrash.blogspot.com/2007/04/kernel-string-matching-and-ips.html Feedback is welcome. -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F |
|
From: Will M. <wil...@gm...> - 2007-04-21 19:09:55
|
hmmmm you will not see bpdu's in snort-inline. What makes you think they are not being passed? Do you have stp enabled on the bridge? Regards, Will On 4/21/07, Roman Glebov <sl...@sl...> wrote: > > Sorry, i forgought to tell > It is simple bridge with stp off: > > brctl addbr br0 > brctl addif eth0 > brctl addif eth1 > > ifconfig br0 up > > br0 eth0 eth1 have no adresses. > > I am using debian unstable kernel : > 2.6.18-4-686 > > With regards Roman Glebov > > > > what does your bridge configuration look like? > > > > On 4/21/07, Roman Glebov <sl...@sl...> wrote: > >> > >> Hallo! > >> > >> I found recently out that snort inline or the bridge are not forwarding > >> any bpdu packets! > >> > >> > >> Is this a known problem or a missconfiguration ? > >> > >> Roman Glebov > >> > >> > >> > ------------------------------------------------------------------------- > >> This SF.net email is sponsored by DB2 Express > >> Download DB2 Express C - the FREE version of DB2 express and take > >> control of your XML. No limits. Just data. Click to get it now. > >> http://sourceforge.net/powerbar/db2/ > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > |
|
From: Roman G. <sl...@sl...> - 2007-04-21 18:25:46
|
Sorry, i forgought to tell It is simple bridge with stp off: brctl addbr br0 brctl addif eth0 brctl addif eth1 ifconfig br0 up br0 eth0 eth1 have no adresses. I am using debian unstable kernel : 2.6.18-4-686 With regards Roman Glebov > what does your bridge configuration look like? > > On 4/21/07, Roman Glebov <sl...@sl...> wrote: >> >> Hallo! >> >> I found recently out that snort inline or the bridge are not forwarding >> any bpdu packets! >> >> >> Is this a known problem or a missconfiguration ? >> >> Roman Glebov >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > |
|
From: Will M. <wil...@gm...> - 2007-04-21 18:01:04
|
what does your bridge configuration look like? On 4/21/07, Roman Glebov <sl...@sl...> wrote: > > Hallo! > > I found recently out that snort inline or the bridge are not forwarding > any bpdu packets! > > > Is this a known problem or a missconfiguration ? > > Roman Glebov > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Roman G. <sl...@sl...> - 2007-04-21 17:43:43
|
Hallo! I found recently out that snort inline or the bridge are not forwarding any bpdu packets! Is this a known problem or a missconfiguration ? Roman Glebov |
|
From: Victor J. <li...@in...> - 2007-04-16 19:07:28
|
Hi, Thanks for this manual. You mention that you had problems with Snort_inline 2.6.1.2B1. Can you tell a bit more about that? Regards, Victor Troopy . wrote: > Hello, > Thank you very much for this fantastic tool > > If this can help, you can find below a Snort_Inline tutorial: > > http://www.openmaniak.com/inline.php > > Give us your feedback > > Thanks > > > > ______________________________________________________ > Désirez vous une adresse éléctronique @suisse.com? > Visitez la Suisse virtuelle sur http://www.suisse.com > > |
|
From: Victor J. <li...@in...> - 2007-04-16 07:53:05
|
Hi Roman,
I think the issue is in your 'stream4_reassemble' line. You have
'clientonly' set. This means only the traffic flowing from the client to
the server is reassembled. The virus however, is flowing from the server
to the client. Try replacing 'clientonly' by 'both' or 'serveronly' and
see what happens!
Cheers,
Victor
Roman Glebov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hallo,
> i have a feeling that streamreassembly is not working for clamav.
>
> All the time i look at the /tmp where snort_inline puts
> filedescriptors for the clamav test, they are 1452 bytes big.
>
> If i understand it correctly clamav should get ueberpackets from
> stream4 and steam_reassembly but it seems not to be the case.
>
>
> Here is my config:
>
> sed -r '/^#|^$/{d}' snort_inline.conf
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> config checksum_mode: all
> var RULE_PATH rules
> config detection: search-method ac
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, memcap 134217728,
> max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
> disable_norm_wscale,enforce_state,timeout 3600
> preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
> 4096, flush_behavior random
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> output alert_fast: snort_inline-fast
> include classification.config
> include reference.config
> include enabled.rules
>
>
> and here is the output from starting snort_inline:
>
> snort_inline -Q -H 1 -c snort_inline.conf
> Reading from iptables
> Running in IDS mode
> Initializing Inline mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
> Var 'lo_ADDRESS' defined, value len = 19 chars, value =
> 127.0.0.0/255.0.0.0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort_inline.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Var 'HOME_NET' defined, value len = 3 chars, value = any
> Var 'HONEYNET' defined, value len = 3 chars, value = any
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Var 'RULE_PATH' defined, value len = 5 chars, value = rules
> Detection:
> Search-Method = AC-Full
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4099
> | Overhead Bytes: 16400(%0.16)
> `----------------------------------------------
> stream4inline mode enabled
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 3600 seconds
> Session memory cap: 134217728 bytes
> Session count max: 8192 sessions
> Session cleanup count: 5
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Enforce TCP State: ACTIVE
> Midstream Drop Alerts: INACTIVE
> Allow Blocking of TCP Sessions in Inline: ACTIVE
> Server Data Inspection Limit: -1
> Inline-mode options:
> Inline-mode enabled? (stream4inline): Yes
> Scan mode? (scan_stream_only): Both packet and stream
> Sliding Windowsize (window_size): 3000
> Memcap reached method (truncate): Prune
> Truncate percentage (truncate_percentage): 33
> Store/Load state from/to disk: No
> Max out-of-order packets in a stream (max_ooo_pkts): 10
> Max out-of-order bytes in a stream (max_ooo_bytes): 200
> Max sequence holes in a stream (max_seq_holes): 100
> Normalize wscale max (norm_wscale_max): 2
> Perform window scale normaliztion: No
> Disable out-of-order packet drop: No
> Disable out-of-order packet drop: No
> Disable sequence hole packet drop: No
> Max sequence holes in a stream (max_seq_holes): 100
> Disable wscale normalization alerts
> (disable_norm_wscale_alerts): No
> Disable out-of-order alerts (disable_ooo_alerts): No
> Drop bad RST packets? (drop_bad_rst): No
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> Flush stream on alert: ACTIVE
> flush_data_diff_size: 500
> Reassembler Packet Preferance : Favor Old
> Packet Sequence Overlap Limit: -1
> Flush behavior: random
> Flush base: 4096
> Flush seed: 1176608780
> Flush range: 1213
> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
> 1521 3306
> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
> 513 1433 1521 3306
> ClamAV config:
> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> Virus found action: ALERT
> Virus definitions dir: '/usr/share/clamav'
> Virus DB reload time: '43200'
> Scan only traffic to the client
> Directory for tempfiles (file descriptor mode): '/tmp'
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan
> distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> Number of Nodes: 36900
>
> 2742 Snort rules read...
> 2742 Option Chains linked into 181 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Tagged Packet Limit: 256
> InitInline stage 2: InitInlinePostConfig starting...
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1 sig-id=6364 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6254 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6494 type=Limit tracking=src
> count=1 seconds=1200
> | gen-id=1 sig-id=2001043 type=Limit tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=2003268 type=Both tracking=src
> count=1 seconds=900
> | gen-id=1 sig-id=7570 type=Limit tracking=src
> count=1 seconds=300
>
> ...
> | gen-id=1 sig-id=6200 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6477 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=5802 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=7050 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6496 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2002732 type=Threshold tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=5765 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2003266 type=Both tracking=src
> count=1 seconds=900
> +-----------------------[suppression]------------------------------------------
> | none
> -
> -------------------------------------------------------------------------------
> Rule application order:
> -
> ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
> Log directory = /var/log/snort
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'tagged' is set but not ever checked.
> Warning: flowbits key 'community_uri.size.1050' is set but not ever
> checked.
> Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
> Warning: flowbits key 'trojan' is set but not ever checked.
> 80 out of 512 flowbits in use.
> Setting the Packet Processor to decode packets from iptables
> +--[Pattern Matcher:Aho-Corasick Summary]----------------------
> | Alphabet Size : 256 Chars
> | Sizeof State : 2 bytes
> | Storage Format : Full
> | Num States : 225975
> | Num Transitions : 11746889
> | State Density : 20.3%
> | Finite Automatum : DFA
> | Memory : 163.07Mbytes
> +-------------------------------------------------------------
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort_Inline! <*-
> o" )~ Version 2.6.1.2 (Build 34) inline
> '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> Snort_Inline Mod by William Metcalf, Victor Julien, Nick
> Rogness,
> Dave Remien, Rob McMillen and Jed Haile
> (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
> <Build 11>
> Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
> Preprocessor Object: SF_DNS Version 1.0 <Build 1>
> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
> Preprocessor Object: SF_SSH Version 1.0 <Build 1>
> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
> Not Using PCAP_FRAMES
>
>
>
> by the way why is the thresholding activated ?
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
>
> what is it for and how to deactivate it ?
>
> i am using snort_inline 2.6.1.2BETA1
>
> config flags :
> ./configure --enable-nfnetlink
> - --with-libipq-includes=/usr/local/include/ --enable-clamav
>
>
> ideas why is stream4 not reasembling packets for clamav ?
>
>
> with regards
>
> Roman Gebov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
> x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
> 84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
> PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
> mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
> QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
> I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
> rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
> zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
> E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
> jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
> sOqXi9TfpEQ=
> =duR+
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Will M. <wil...@gm...> - 2007-04-16 01:46:31
|
enable stream4inline
On 4/14/07, Roman Glebov <sl...@sl...> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hallo,
> i have a feeling that streamreassembly is not working for clamav.
>
> All the time i look at the /tmp where snort_inline puts
> filedescriptors for the clamav test, they are 1452 bytes big.
>
> If i understand it correctly clamav should get ueberpackets from
> stream4 and steam_reassembly but it seems not to be the case.
>
>
> Here is my config:
>
> sed -r '/^#|^$/{d}' snort_inline.conf
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> config checksum_mode: all
> var RULE_PATH rules
> config detection: search-method ac
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, memcap 134217728,
> max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
> disable_norm_wscale,enforce_state,timeout 3600
> preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
> 4096, flush_behavior random
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> output alert_fast: snort_inline-fast
> include classification.config
> include reference.config
> include enabled.rules
>
>
> and here is the output from starting snort_inline:
>
> snort_inline -Q -H 1 -c snort_inline.conf
> Reading from iptables
> Running in IDS mode
> Initializing Inline mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
> Var 'lo_ADDRESS' defined, value len = 19 chars, value =
> 127.0.0.0/255.0.0.0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort_inline.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Var 'HOME_NET' defined, value len = 3 chars, value = any
> Var 'HONEYNET' defined, value len = 3 chars, value = any
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Var 'RULE_PATH' defined, value len = 5 chars, value = rules
> Detection:
> Search-Method = AC-Full
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4099
> | Overhead Bytes: 16400(%0.16)
> `----------------------------------------------
> stream4inline mode enabled
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 3600 seconds
> Session memory cap: 134217728 bytes
> Session count max: 8192 sessions
> Session cleanup count: 5
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Enforce TCP State: ACTIVE
> Midstream Drop Alerts: INACTIVE
> Allow Blocking of TCP Sessions in Inline: ACTIVE
> Server Data Inspection Limit: -1
> Inline-mode options:
> Inline-mode enabled? (stream4inline): Yes
> Scan mode? (scan_stream_only): Both packet and stream
> Sliding Windowsize (window_size): 3000
> Memcap reached method (truncate): Prune
> Truncate percentage (truncate_percentage): 33
> Store/Load state from/to disk: No
> Max out-of-order packets in a stream (max_ooo_pkts): 10
> Max out-of-order bytes in a stream (max_ooo_bytes): 200
> Max sequence holes in a stream (max_seq_holes): 100
> Normalize wscale max (norm_wscale_max): 2
> Perform window scale normaliztion: No
> Disable out-of-order packet drop: No
> Disable out-of-order packet drop: No
> Disable sequence hole packet drop: No
> Max sequence holes in a stream (max_seq_holes): 100
> Disable wscale normalization alerts
> (disable_norm_wscale_alerts): No
> Disable out-of-order alerts (disable_ooo_alerts): No
> Drop bad RST packets? (drop_bad_rst): No
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> Flush stream on alert: ACTIVE
> flush_data_diff_size: 500
> Reassembler Packet Preferance : Favor Old
> Packet Sequence Overlap Limit: -1
> Flush behavior: random
> Flush base: 4096
> Flush seed: 1176608780
> Flush range: 1213
> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
> 1521 3306
> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
> 513 1433 1521 3306
> ClamAV config:
> Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> Virus found action: ALERT
> Virus definitions dir: '/usr/share/clamav'
> Virus DB reload time: '43200'
> Scan only traffic to the client
> Directory for tempfiles (file descriptor mode): '/tmp'
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan
> distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> Number of Nodes: 36900
>
> 2742 Snort rules read...
> 2742 Option Chains linked into 181 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Tagged Packet Limit: 256
> InitInline stage 2: InitInlinePostConfig starting...
>
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[thresholding-global]----------------------------------
> | none
>
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1 sig-id=6364 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6254 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6494 type=Limit tracking=src
> count=1 seconds=1200
> | gen-id=1 sig-id=2001043 type=Limit tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=2003268 type=Both tracking=src
> count=1 seconds=900
> | gen-id=1 sig-id=7570 type=Limit tracking=src
> count=1 seconds=300
>
> ...
> | gen-id=1 sig-id=6200 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6477 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=5802 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=7050 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=6496 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2002732 type=Threshold tracking=src
> count=10 seconds=60
> | gen-id=1 sig-id=5765 type=Limit tracking=src
> count=1 seconds=300
> | gen-id=1 sig-id=2003266 type=Both tracking=src
> count=1 seconds=900
>
> +-----------------------[suppression]------------------------------------------
> | none
> -
>
> -------------------------------------------------------------------------------
> Rule application order:
> -
>
> ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
> Log directory = /var/log/snort
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'tagged' is set but not ever checked.
> Warning: flowbits key 'community_uri.size.1050' is set but not ever
> checked.
> Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
> Warning: flowbits key 'trojan' is set but not ever checked.
> 80 out of 512 flowbits in use.
> Setting the Packet Processor to decode packets from iptables
> +--[Pattern Matcher:Aho-Corasick Summary]----------------------
> | Alphabet Size : 256 Chars
> | Sizeof State : 2 bytes
> | Storage Format : Full
> | Num States : 225975
> | Num Transitions : 11746889
> | State Density : 20.3%
> | Finite Automatum : DFA
> | Memory : 163.07Mbytes
> +-------------------------------------------------------------
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort_Inline! <*-
> o" )~ Version 2.6.1.2 (Build 34) inline
> '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> Snort_Inline Mod by William Metcalf, Victor Julien, Nick
> Rogness,
> Dave Remien, Rob McMillen and Jed Haile
> (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
> <Build 11>
> Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
> Preprocessor Object: SF_DNS Version 1.0 <Build 1>
> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
> Preprocessor Object: SF_SSH Version 1.0 <Build 1>
> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
> Not Using PCAP_FRAMES
>
>
>
> by the way why is the thresholding activated ?
>
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[thresholding-global]----------------------------------
> | none
>
> +-----------------------[thresholding-local]-----------------------------------
>
> what is it for and how to deactivate it ?
>
> i am using snort_inline 2.6.1.2BETA1
>
> config flags :
> ./configure --enable-nfnetlink
> - --with-libipq-includes=/usr/local/include/ --enable-clamav
>
>
> ideas why is stream4 not reasembling packets for clamav ?
>
>
> with regards
>
> Roman Gebov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
> x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
> 84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
> PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
> mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
> QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
> I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
> rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
> zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
> E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
> jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
> sOqXi9TfpEQ=
> =duR+
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Roman G. <sl...@sl...> - 2007-04-14 19:46:00
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo,
i have a feeling that streamreassembly is not working for clamav.
All the time i look at the /tmp where snort_inline puts
filedescriptors for the clamav test, they are 1452 bytes big.
If i understand it correctly clamav should get ueberpackets from
stream4 and steam_reassembly but it seems not to be the case.
Here is my config:
sed -r '/^#|^$/{d}' snort_inline.conf
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
config checksum_mode: all
var RULE_PATH rules
config detection: search-method ac
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, memcap 134217728,
max_ooo_pkts 10, max_ooo_bytes 200, max_seq_holes 100, stream4inline,
disable_norm_wscale,enforce_state,timeout 3600
preprocessor stream4_reassemble: clientonly,flush_on_alert, flush_base
4096, flush_behavior random
preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/share/clamav, dbreload-time 43200, descriptor-temp-dir /tmp
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
output alert_fast: snort_inline-fast
include classification.config
include reference.config
include enabled.rules
and here is the output from starting snort_inline:
snort_inline -Q -H 1 -c snort_inline.conf
Reading from iptables
Running in IDS mode
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value =
127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'HONEYNET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 5 chars, value = rules
Detection:
Search-Method = AC-Full
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 3600 seconds
Session memory cap: 134217728 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: ACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): Yes
Scan mode? (scan_stream_only): Both packet and stream
Sliding Windowsize (window_size): 3000
Memcap reached method (truncate): Prune
Truncate percentage (truncate_percentage): 33
Store/Load state from/to disk: No
Max out-of-order packets in a stream (max_ooo_pkts): 10
Max out-of-order bytes in a stream (max_ooo_bytes): 200
Max sequence holes in a stream (max_seq_holes): 100
Normalize wscale max (norm_wscale_max): 2
Perform window scale normaliztion: No
Disable out-of-order packet drop: No
Disable out-of-order packet drop: No
Disable sequence hole packet drop: No
Max sequence holes in a stream (max_seq_holes): 100
Disable wscale normalization alerts
(disable_norm_wscale_alerts): No
Disable out-of-order alerts (disable_ooo_alerts): No
Drop bad RST packets? (drop_bad_rst): No
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: ACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: random
Flush base: 4096
Flush seed: 1176608780
Flush range: 1213
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
513 1433 1521 3306
ClamAV config:
Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Virus found action: ALERT
Virus definitions dir: '/usr/share/clamav'
Virus DB reload time: '43200'
Scan only traffic to the client
Directory for tempfiles (file descriptor mode): '/tmp'
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2742 Snort rules read...
2742 Option Chains linked into 181 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
InitInline stage 2: InitInlinePostConfig starting...
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=6364 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6254 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6494 type=Limit tracking=src
count=1 seconds=1200
| gen-id=1 sig-id=2001043 type=Limit tracking=src
count=10 seconds=60
| gen-id=1 sig-id=2003268 type=Both tracking=src
count=1 seconds=900
| gen-id=1 sig-id=7570 type=Limit tracking=src
count=1 seconds=300
...
| gen-id=1 sig-id=6200 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6477 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=5802 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=7050 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=6496 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=2002732 type=Threshold tracking=src
count=10 seconds=60
| gen-id=1 sig-id=5765 type=Limit tracking=src
count=1 seconds=300
| gen-id=1 sig-id=2003266 type=Both tracking=src
count=1 seconds=900
+-----------------------[suppression]------------------------------------------
| none
-
-------------------------------------------------------------------------------
Rule application order:
-
->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log
Log directory = /var/log/snort
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Verifying Preprocessor Configurations!
Warning: flowbits key 'tagged' is set but not ever checked.
Warning: flowbits key 'community_uri.size.1050' is set but not ever
checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'trojan' is set but not ever checked.
80 out of 512 flowbits in use.
Setting the Packet Processor to decode packets from iptables
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 225975
| Num Transitions : 11746889
| State Density : 20.3%
| Finite Automatum : DFA
| Memory : 163.07Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.6.1.2 (Build 34) inline
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
Snort_Inline Mod by William Metcalf, Victor Julien, Nick
Rogness,
Dave Remien, Rob McMillen and Jed Haile
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
<Build 11>
Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
Preprocessor Object: SF_DNS Version 1.0 <Build 1>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
Not Using PCAP_FRAMES
by the way why is the thresholding activated ?
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
what is it for and how to deactivate it ?
i am using snort_inline 2.6.1.2BETA1
config flags :
./configure --enable-nfnetlink
- --with-libipq-includes=/usr/local/include/ --enable-clamav
ideas why is stream4 not reasembling packets for clamav ?
with regards
Roman Gebov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRiEu2LhQu20hGMIkAQJeHw/+NoItI0ZPE4XX++YX7ujmGS0UHVVdcGDL
x6bMSijbUbk9AITra5C5wSjMh6NUgWh70q1o3CwjcAhVrgk4ktyRZzvgToctzQJp
84mE5+jHbbiwcaIykHfrX//0xyw0yHhYWy5b3OoSw2LdsTTPKRP0H9GCxEYfgZww
PBPKmiz7Bin4Y3piWzV0FKyMWAbusGpsCHThnZ+9Cz3Nfw/qGKe8ciiFBMsgG7Rn
mA3nJ3neCnMslQWs/ChSudmprL1ncOZmkm/xrlzXMVpMoLcVE8WzQZZGiVsU36vS
QWQQOsazx77Lm+ZufMDU7fg2o5oOEGClLgZY2JFJlEKaDcxUWAN2Q/bHubT+6Gin
I65Jarv3vAvqebUoPSTftNCAna/7fSv3T6Ir00x5a2eYc0TPd3rc55e6nKQ1JPtI
rIq2JR+x2czwUanoi4P5fxysMXHkmcGu9QwgFdtLFIppXGF1oYB2VEM59VPt3M+b
zwppfDB+CX4J9bagFVdsMggvebRFEPia4wT0+LTngsxMuU8TWVRErlYpQf5HvFtG
E9n6Vbche3Vsy0vwFhEjaa4C2Of2OF2CI+1vKy1HDjfE9pqnG27hiliUgXHKP5PQ
jTlZnoj1aGLGBPg8obAOvuUF+IsdUy7U5wmQUQJyTFrEEEy4gmIv/Mxc9DstfQdM
sOqXi9TfpEQ=
=duR+
-----END PGP SIGNATURE-----
|
|
From: Roman G. <sl...@sl...> - 2007-04-14 14:42:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Victor Julien wrote: > Will Metcalf wrote: >> Looks like PE analysis code in clamav is causing it to blow up, >> we can add some code to deal with this return value but I want to >> dig into it a bit more before we decide to do so. >> > If you look at the negative returncodes from clamav.h you can see > we can't kill snort for (all of) them (as we assumed before): > > #define CL_EIO -12 /* general I/O error */ #define > CL_EFORMAT -13 /* bad format or broken file */ > > My suggestion is to not use FatalError but create an alert for > this, something like "Virusscan Failed" and add an option to the > configuration to enable the admin to either pass or drop failed > scans. While we are at it we should do the same for the positive > returncodes. What do you think? > > Cheers, Victor > i think it is great idea!! look, when i have ids in inline mode and it crashes because of this thing.... it is something wich should never happen! please let admins to choose . thank you all, roman glebov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRiDns7hQu20hGMIkAQL6lw//UCNJJtrMeCyzZrZskoqlTMSOjpo2Jo20 jdpjQegM6mWFR4MEnSsk/RhjZWzYssAQ36Gwxj+A7TA8U85OzahkOaI8EK6D6Loo 4/5s56twUaQKbdNpSDNySdli1pigVQnejjtNVun1Gn7o8/HbZPUfMAUV3BZOLbwl n7ZajDtgstVzCnvVMdZ8ONnzuo+/8nXH2ai/ATp2DIBucB9rwEdwGZxEkL51Ot/S UgCPlAz4k0FUC4ZC1PONaXFpaKvxN7Jl4jV5W1JK7ktPa2xgBQamUm87eHC/9/I7 dtmfW0IeR0mHrthKpOTY/APmzBMfydTpNmMfyKWO4Z8EjqEv5S1OUQ/H8iuJnJF2 hso0RumIPTlDxgkLLF8oOiueYWrjtK8/23nRRZdqruDqOo2D16Kep81TpHTwup4K EvWQ89AEHJ9c8OdkVp3sDMPHeytx+ENkjSltEInmLTx54/7x9ElhREx3XFKjS1sS pSxryRpuqrol/lThQRrMv0qNTXDOGSZjdtbS9igvWxt+DmmvDbc/R9K5SqCZLlSJ Tp3H8gN5v3kvFuFejePp0Cy16Uk6O5qlcJzixCPp7xNE5gJ3VmB3A2s3B405GQWF /Apc6bIGqnkYPaQS8cySVYuVMEfcApJpTelki1KBw8Ogx6xvfbwfE543C6TdLGbl vIeAXpx2Smg= =jrCr -----END PGP SIGNATURE----- |
|
From: Victor J. <li...@in...> - 2007-04-14 11:04:26
|
Victor Julien wrote: > Will Metcalf wrote: > >> Looks like PE analysis code in clamav is causing it to blow up, we can >> add some code to deal with this return value but I want to dig into it >> a bit more before we decide to do so. >> >> > If you look at the negative returncodes from clamav.h you can see we > can't kill snort for (all of) them (as we assumed before): > > #define CL_EIO -12 /* general I/O error */ > #define CL_EFORMAT -13 /* bad format or broken file */ > > My suggestion is to not use FatalError but create an alert for this, > something like "Virusscan Failed" and add an option to the configuration > to enable the admin to either pass or drop failed scans. While we are at > it we should do the same for the positive returncodes. What do you think? > Okay, I've cooked up the attached patch to address the issue. The patch is against the SVN trunk. Comments are welcome! Cheers, Victor |
|
From: Victor J. <li...@in...> - 2007-04-13 23:37:48
|
Will Metcalf wrote: > Looks like PE analysis code in clamav is causing it to blow up, we can > add some code to deal with this return value but I want to dig into it > a bit more before we decide to do so. > If you look at the negative returncodes from clamav.h you can see we can't kill snort for (all of) them (as we assumed before): #define CL_EIO -12 /* general I/O error */ #define CL_EFORMAT -13 /* bad format or broken file */ My suggestion is to not use FatalError but create an alert for this, something like "Virusscan Failed" and add an option to the configuration to enable the admin to either pass or drop failed scans. While we are at it we should do the same for the positive returncodes. What do you think? Cheers, Victor |
|
From: Will M. <wil...@gm...> - 2007-04-13 23:29:07
|
Looks like PE analysis code in clamav is causing it to blow up, we can add some code to deal with this return value but I want to dig into it a bit more before we decide to do so. Regards, Will clamscan /tmp/snort_inline-clamav-UlHUSu /tmp/snort_inline-clamav-UlHUSu: Input/Output error ----------- SCAN SUMMARY ----------- Known viruses: 108346 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 14.471 sec (0 m 14 s) clamscan --no-pe /tmp/snort_inline-clamav-UlHUSu /tmp/snort_inline-clamav-UlHUSu: OK ----------- SCAN SUMMARY ----------- Known viruses: 108346 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 14.276 sec (0 m 14 s) Regards, Will |
|
From: Roman G. <sl...@sl...> - 2007-04-13 21:13:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman Glebov wrote: > Hier is the file which crashes clamav when you download it other > ftp: > > http://sleon.dyndns.org/~sleon/b54d95391450d7d4a9a955c20eef36bf.EXE > > > try it :)))) i am using clamav clamscan --version ClamAV > 0.88.5/2035/Sun Oct 15 22:42:30 2006 > > > Roman Glebov wrote: >> I am testing clamav-snort_inline now. > >> I have here 3000 viruses which i download with ftp. On some virus >> it chokes and brings intput-output error (output by snort log). >> This causes the whole snort_inline to crash! > >> Any ideas how to prevent whole snort_inline from crashing when >> clamav gets problems ? > >> With regards > >> Roman Glebov > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys-and > earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Snort-inline-users > mailing list Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > Ok now i upgraded to latest clamav. ClamAV 0.90.2/2035/Sun Oct 15 22:42:30 2006 clamscan gives following output clamscan 01296e4293cabec32e1f516185b15235.EXE LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** 01296e4293cabec32e1f516185b15235.EXE: OK - ----------- SCAN SUMMARY ----------- Known viruses: 73019 Engine version: 0.90.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.30 MB Time: 2.070 sec (0 m 2 s) but snort_inline becomes : Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 6> Preprocessor Object: SF_DNS Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> Not Using PCAP_FRAMES 04/13-23:05:33.027756 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:33.028802 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:37.524721 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:37.525568 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:39.936354 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:7868 -> 192.168.2.50:41734 ERROR: ClamAV scan error: Input/Output error. Fatal Error, Quitting.. when it gets this file. the link to file is at : http://sleon.dyndns.org/~sleon/01296e4293cabec32e1f516185b15235.EXE try it out. i attach my snort_inline config :) by the way with this settings i get 190mb/s! on the dualcore p4 server Roman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/x9rhQu20hGMIkAQKxcA/+PtSXVn6C51jPvV3IuvUqRUJzuzG/7sOm 4mC/G0Ay8LpJQIrpt0bzmYfbEcasWsKEJaFaLuZB4Ysv6SDI3UqFG9YHO1qPDCII KXWMOIgDrRTmZZsY/dnwArrTEbUR6rjsGGzNWlCtDoSEWzd7wnmfMmwDZhIW5rFb q3foT9aLqslbf5oOxSz9lOj8Qjfe/G5yRDXRJ/DzbUQJmHeeyxtLiWhQHZ8ejzlu r2LLX36UNUQPg5okLwsZz5lqXBXy3z4Mr0M3FD5dP0EfrSXhS+fTx1RMjcQ4uxJm Pl0s8FFLGwJkHxPPD2AUu+svk+kNxrc4eOs3xxh5CWiKh5JBPhu9XGdL2LqILeSh bk1dAEwwncYxj2+EgeSwXhke3s35LQLCj7YtLfn1dTFeoY1FNtmF4JJ4gNJgr03T KOjGoxBVr4643R5x5vLQRkgS99WHJuo/ipAQo60MyZaCy92Er6Sa/pRJVQMRB1kM xsThJKeWtMMsXOs7m2OINlxKGGhejYPrM7wkXqNcy94+te3/KY9rFsuzJBwdP+dN 5GTEt+jFf3gWgyDVlWUBXjIDHBf+THU0wNCMINXsiy7MjI1ERCNZj+grpM8BcPT/ RWfNvOsgW1E4ZzrQ/iaitfvLQLshwFk7RztyUHs3OnVHstqZ7cbzg6fO02HTafqm 8THF4JkIzK4= =FQLg -----END PGP SIGNATURE----- |
|
From: Roman G. <sl...@sl...> - 2007-04-13 19:59:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hier is the file which crashes clamav when you download it other ftp: http://sleon.dyndns.org/~sleon/b54d95391450d7d4a9a955c20eef36bf.EXE try it :)))) i am using clamav clamscan --version ClamAV 0.88.5/2035/Sun Oct 15 22:42:30 2006 Roman Glebov wrote: > I am testing clamav-snort_inline now. > > I have here 3000 viruses which i download with ftp. On some virus > it chokes and brings intput-output error (output by snort log). > This causes the whole snort_inline to crash! > > Any ideas how to prevent whole snort_inline from crashing when > clamav gets problems ? > > With regards > > Roman Glebov - ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/gnrhQu20hGMIkAQJ6ABAAl56YjfJqhc4DpS15LyHlhUDY9Stm1DER OIOU5tqdwYBDEAZniId1IWomUeH6R17q437BvNS3Mva8Qd6sIr/1Gjlm233VhfFk 1W7G9kjh5CeFm3SwjU2rD2RuxbJ66lbsrQveElCATANJ45+nKGmEZihCSO4fiv6M xf0GknGBbLWIfKHwE4fH1E9RbTivgjB4CKC26GeoMxPLWdEGxIV3V2MKCflkNYD4 h4tXkPodoxS1hfJonNzYRVtBqctyl5uFwJNDsJI/yxFgvUi9LDN32orR/Jy/xNgC H2FOH2rUvbhoprSgDkZknVSAJr19RbM3GxDqzQKjlOJKiII9YmlxZcZP075S98nk BQLN8OyNJCN+r+54JfOxzSIVaP/wppgoBsQGW75EfDqJF141J9y3t0W9PnpVog7/ MSFzhOMoM5vAywoK5S7CYLlPohCRHNKnnPiZVslHMjEHwISCfBWBDdCa8mmTwllL c9vHsAZ+TUAmmUwotSyKKCyeIL7hriSVo1OmIbSBeZMNPpfgFnZZvzqYe2lQ5cay fqGiSaSGl6QZhKyTMMKyrciOHHB2ymcquhqopfhf1IwoTwgPI27i5Zj+HBRtv3w/ qHT+/eG1/pbmgvDjRh3y1R547XoZd3qXTvxXgGBic4Al1zVLAncIwfMLn70evO3y s9DT4ijrSf0= =xTpc -----END PGP SIGNATURE----- |
|
From: Roman G. <sl...@sl...> - 2007-04-13 19:31:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am testing clamav-snort_inline now. I have here 3000 viruses which i download with ftp. On some virus it chokes and brings intput-output error (output by snort log). This causes the whole snort_inline to crash! Any ideas how to prevent whole snort_inline from crashing when clamav gets problems ? With regards Roman Glebov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/Z/7hQu20hGMIkAQLQuhAAoe76UDBviYOOYfYiTmwsapfp/HjmFeoe 6i1nyFkDpNe6rCEUX+tfNJXpjrmE9MKU15a4Mw+Xfk3PpvOeNPz4yw364I+rjGpZ tZIaj1i+8JcEQ0Ry15DlFui1dvoPFzq4eWhKb1zB4Xeal2bS79TYJx6FrFwsxcPt x0KD8tWLpzuN2YNR5CztjOow9vPSbKNuvruAHcQ6KsSHPsNBu9qEgCXimV1RHyel YNUaeo42VypvHlXtkZztIMnd2wqnviuAMFw6Y1WOwaJKYTVAtG9RnQAYfSeUVbfN 5KnfV9BL3ew58hLi+mjf4WexE5Yz6R6wHlASR7FaHIoRBX/oZ3Gq4FCzAPwSMwBS sUHN38tGjhjMFvLNtKJSMddO1L8J2WYLoJtcHV3XTSyHbsmA6Wr27IGjQas19Cc9 yQjR3DCAOjvMF2pIKf2io88ywHGceCgGSitzenb/pC6gSNlF9GyiMjijYRElugHw 39UzjDJEXl2Sk3WNdILJq8bM6+qCopIqXYDf0UiBZwUvFarp9fom7pcMVvHsF6B1 q6aJT7gTqpX7xbj6nUu8FllSwP9wPX7x4RvRxMibtkHRwxtkou4b8505OFI12PB7 h9URFix9mQ+zjNp004NVeT69vb3UmEajGmvQ2SNSbKMrPBlujpXod6TWAH4vB0cU Sv/Z3jEXXFE= =6GJO -----END PGP SIGNATURE----- |
133 messages has been excluded from this view by a project administrator.
