small problem: I can always download viruses via HTTP whereas I have
to configure the "preprocessor clamav" well, somebody has an idea on
my problem?
Here my configuration of snort_inline:
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: none
var RULE_PATH rules
config layer2resets
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both
preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.
Here my configuration of iptables:
iptables -A INPUT -p tcp --sport 80 -j QUEUE
iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
|
