Hello,
Here my configuration of snort_inline:
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: all
var RULE_PATH rules
config layer2resets
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both
preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.
Here rules of iptables:
iptables -A INPUT -j QUEUE
iptables -A OUTPUT -j QUEUE
and here how I start snort_inline But unfortunately I can always
download eicar.com
# snort_inline -D -c /etc/snort/snort_inline.conf -d -Q -i eth0
But unfortunately I can always download eicar.com
On Mon, 7 Mar 2005 13:48:36 -0600, William Metcalf
<Wil...@kc...> wrote:
>
>
> You have to initialize clamav before http_inspect in your snort_inline.conf,
> also are you setup so that your return traffic is going to the QUEUE target?
>
> so something like
>
> iptables -A FORWARD -p tcp --sport 80 -j QUEUE
> iptables -A FORWARD -p tcp --dport 80 -j QUEUE
>
> or
>
> iptables -A INPUT --sport 80 -j QUEUE
> iptables -A OUTPUT --dport 80 -j QUEUE
>
> or you can make use of the RELATED,ESTABLISHED keywords.
>
> Regards,
>
> Will
> Mohamed Berzig <mb...@gm...>
>
>
>
>
>
>
>
> Mohamed Berzig <mb...@gm...>
> Sent by: sno...@li...
>
> 03/07/2005 01:17 PM
> Please respond to
> Mohamed Berzig <mb...@gm...>
>
>
> To
> sno...@li...
>
>
> cc
>
>
>
> Subject
> [Snort-inline-users] still clamAV
>
>
> I have to compile snort_inline with the support of clamav and I have
> to configure snort_inline.conf as to indicate in the comments but when
> I try to download eicar.com snort_inline detecte no virus. I do not
> know if I have to forget something but I have remakes test them
> several times. Greetings.
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>
|
