Menu
▾
▴
snort-inline-users
|
From: davide b. <dav...@gm...> - 2005-10-10 18:59:27
|
I've try http://eicar.org/anti_virus_test_file.htm and this 3 files ftp://ftp.digitalfuture.it/ . Tnx 2005/10/10, William Metcalf <Wil...@kc...>: > > What virii are you downloading? > ----------------- > Sent from my BlackBerry Handheld. > ------------------------------ > > ----- Original Message ----- > * From: *snort-inline-users-admin > * Sent: *10/10/2005 12:04 PM > * To: *sno...@li... > * Subject: *[Snort-inline-users] clamav preprocessor don't work > > Hi, i have installed clamav (it works), snort from > http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?root=3DSnort-Clamav the > 2.3.3 version enabling inline to use iptables, and it works. And i've > enabled clamav. but when i try to download an infected file i can do it a= nd > clamav don't drop the packet and don't reset the connection. someone have= an > idea? in snort.conf i wrote: > .... > preprocessor stream4_reassemble > > preprocessor clamav: ports all, action-drop > .... > but clamav don't work! > > but it's strange that there isn't the option for stream4 "inline_state", > too! > > please help me! > > -- > > China > -- China |
|
From: Victor J. <vi...@nk...> - 2005-10-12 21:27:06
|
davide belloni wrote: > Can i ask the reason of this line: > > File descriptor scanning mode: Disabled, using cl_scanbuf > Directory for tempfiles (file descriptor mode): '' > > ???? > Originally we used the cl_scanbuf function from clamav to scan the packet payload. This function however, is going to be removed from a future clamav release, so we were forced to look into alternatives. The file descriptor mode is what came out of this. Basicly it stores every payload on disk (can be a ramdisk for performance) and then scans the file. You can give the directory where the files are saved as an option to the clamav preprocessor. The file desc mode should be able to detect more viruses because of the way it works internally in clamav. Example: preprocessor clamav: ports all !22 !443, action-drop, dbreload-time 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline Regards, Victor |
|
From: davide b. <dav...@gm...> - 2005-10-14 14:49:30
|
I've try to install snort 2.4.2: patch it and it return error " Hunk #1 succeeded at 859 with fuzz 2". After a search on the net i'v try to delete ome line of prelude in configure.in <http://configure.in> . i've try it. bu= t it return the error " Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I don't find nothing on the net about this....so i patched the configure.in<http://configure.in>and configure at hand. then i try configure snort with --enable-clamav & --enable-inline and all is ok.....but when i try make...i've got an error: "In function `InitPreprocessors': /home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426: undefined reference to `SetupClamAV'" Someone can help me!?!?!?!? 2005/10/12, Victor Julien <vi...@nk...>: > > davide belloni wrote: > > Can i ask the reason of this line: > > > > File descriptor scanning mode: Disabled, using cl_scanbuf > > Directory for tempfiles (file descriptor mode): '' > > > > ???? > > > > Originally we used the cl_scanbuf function from clamav to scan the > packet payload. This function however, is going to be removed from a > future clamav release, so we were forced to look into alternatives. The > file descriptor mode is what came out of this. Basicly it stores every > payload on disk (can be a ramdisk for performance) and then scans the > file. You can give the directory where the files are saved as an option > to the clamav preprocessor. The file desc mode should be able to detect > more viruses because of the way it works internally in clamav. > > Example: > preprocessor clamav: ports all !22 !443, action-drop, dbreload-time > 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline > > Regards, > Victor > -- China |
|
From: Will M. <wil...@gm...> - 2005-10-15 15:17:59
|
autoreconf -f On 10/14/05, davide belloni <dav...@gm...> wrote: > I've try to install snort 2.4.2: patch it and it return error " Hunk #1 > succeeded at 859 with fuzz 2". After a search on the net i'v try to delet= e > ome line of prelude in configure.in . i've try it. but it return the erro= r " > Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I don't find nothing = on > the net about this....so i patched the configure.in and configure at hand= . > then i try configure snort with --enable-clamav & --enable-inline and all= is > ok.....but when i try make...i've got an error: > > "In function `InitPreprocessors': > /home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426: > undefined reference to `SetupClamAV'" > > Someone can help me!?!?!?!? > > 2005/10/12, Victor Julien <vi...@nk...>: > > davide belloni wrote: > > > Can i ask the reason of this line: > > > > > > File descriptor scanning mode: Disabled, using cl_scanbuf > > > Directory for tempfiles (file descriptor mode): '' > > > > > > ???? > > > > > > > Originally we used the cl_scanbuf function from clamav to scan the > > packet payload. This function however, is going to be removed from a > > future clamav release, so we were forced to look into alternatives. The > > file descriptor mode is what came out of this. Basicly it stores every > > payload on disk (can be a ramdisk for performance) and then scans the > > file. You can give the directory where the files are saved as an option > > to the clamav preprocessor. The file desc mode should be able to detect > > more viruses because of the way it works internally in clamav. > > > > Example: > > preprocessor clamav: ports all !22 !443, action-drop, dbreload-time > > 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline > > > > Regards, > > Victor > > > > > > -- > > China > |
|
From: davide b. <dav...@gm...> - 2005-10-19 07:09:44
|
OK, i found what were the problem, and it's better that you don't know it!! :D Tnx for all! 2005/10/15, Will Metcalf <wil...@gm...>: > > autoreconf -f > > On 10/14/05, davide belloni <dav...@gm...> wrote: > > I've try to install snort 2.4.2: patch it and it return error " Hunk #1 > > succeeded at 859 with fuzz 2". After a search on the net i'v try to > delete > > ome line of prelude in configure.in <http://configure.in> . i've try it= . > but it return the error " > > Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I don't find nothin= g > on > > the net about this....so i patched the configure.in<http://configure.in= >and configure at hand. > > then i try configure snort with --enable-clamav & --enable-inline and > all is > > ok.....but when i try make...i've got an error: > > > > "In function `InitPreprocessors': > > /home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426: > > undefined reference to `SetupClamAV'" > > > > Someone can help me!?!?!?!? > > > > 2005/10/12, Victor Julien <vi...@nk...>: > > > davide belloni wrote: > > > > Can i ask the reason of this line: > > > > > > > > File descriptor scanning mode: Disabled, using cl_scanbuf > > > > Directory for tempfiles (file descriptor mode): '' > > > > > > > > ???? > > > > > > > > > > Originally we used the cl_scanbuf function from clamav to scan the > > > packet payload. This function however, is going to be removed from a > > > future clamav release, so we were forced to look into alternatives. > The > > > file descriptor mode is what came out of this. Basicly it stores ever= y > > > payload on disk (can be a ramdisk for performance) and then scans the > > > file. You can give the directory where the files are saved as an > option > > > to the clamav preprocessor. The file desc mode should be able to > detect > > > more viruses because of the way it works internally in clamav. > > > > > > Example: > > > preprocessor clamav: ports all !22 !443, action-drop, dbreload-time > > > 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline > > > > > > Regards, > > > Victor > > > > > > > > > > > -- > > > > China > > > -- China |
|
From: davide b. <dav...@gm...> - 2005-10-23 17:30:50
|
Hi, now my snort-inline + clamav catch the virus....but the virus present i= n ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would be because it's 224 KB and stream4 don't reassemble all? who works stream4? Moreover for catch this virus my clamav needs the whole file, because it isn't catch by signature, but with algorithmic engine, and clamav must have the file like if it were by filesistem. Someone can halp me?? |
|
From: davide b. <dav...@gm...> - 2005-10-24 15:48:28
|
Hi, i've try other virus of 200 KB and it isn't detect by snort-clamav....instead with only clamav yes.....why? i use clamav after stream4. 2005/10/23, davide belloni <dav...@gm...>: > > Hi, now my snort-inline + clamav catch the virus....but the virus present > in ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would be because > it's 224 KB and stream4 don't reassemble all? who works stream4? Moreover > for catch this virus my clamav needs the whole file, because it isn't cat= ch > by signature, but with algorithmic engine, and clamav must have the file > like if it were by filesistem. > Someone can halp me?? > -- China |
|
From: davide b. <dav...@gm...> - 2005-10-25 14:36:41
|
Ok, i've found the problem, the maximum packet that arrive me is 65 KB over 220 KB; someone can say me if it is normal that stream4 don't reassemble th= e whole stream? I'm doing university thesis.Tnx 2005/10/24, davide belloni <dav...@gm...>: > > Hi, i've try other virus of 200 KB and it isn't detect by > snort-clamav....instead with only clamav yes.....why? i use clamav after > stream4. > > 2005/10/23, davide belloni <dav...@gm...>: > > > > Hi, now my snort-inline + clamav catch the virus....but the virus > > present in ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would > > be because it's 224 KB and stream4 don't reassemble all? who works stre= am4? > > Moreover for catch this virus my clamav needs the whole file, because i= t > > isn't catch by signature, but with algorithmic engine, and clamav must = have > > the file like if it were by filesistem. > > Someone can halp me?? > > > > > > -- > > China -- China |
|
From: Victor J. <vi...@nk...> - 2005-10-25 17:12:13
|
> Ok, i've found the problem, the maximum packet that arrive me is 65 KB > over > 220 KB; someone can say me if it is normal that stream4 don't reassemble > the > whole stream? I'm doing university thesis.Tnx > Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC. Regards, Victor |
|
From: davide b. <dav...@gm...> - 2005-10-26 08:04:23
|
ok, tnx Victor & Will! The virus isn't see by clamav because i'm doing the module that detect this virus. So, if i work with snort inline the reassembler don't work for the problems write here: http://sourceforge.net/mailarchive/forum.php?thread_id=3D7914106&forum_id= =3D32933 also, if i work with simple snort, stream4 reassemble only max 65 KB for th= e reason that you have got me.right? Can i change the constant MAX_STREAM_SIZE?or is a limit and PCAP fail? 2005/10/25, Victor Julien <vi...@nk...>: > > > Ok, i've found the problem, the maximum packet that arrive me is 65 KB > > over > > 220 KB; someone can say me if it is normal that stream4 don't reassembl= e > > the > > whole stream? I'm doing university thesis.Tnx > > > Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC. > > Regards, > Victor > > > -- China |
|
From: Will M. <wil...@gm...> - 2005-10-26 12:48:19
|
The stream4 re assembler basically builds what pcap thinks is a valid IPV4 packet. The maximum amount of data allowed in a valid IPV4 packet is 65535 bytes. Actually it is 65515 for the payload and 20 for the header. Regards, Will On 10/26/05, davide belloni <dav...@gm...> wrote: > ok, tnx Victor & Will! > The virus isn't see by clamav because i'm doing the module that detect t= his > virus. > So, if i work with snort inline the reassembler don't work for the probl= ems > write here: > http://sourceforge.net/mailarchive/forum.php?thread_id=3D7914106&forum_id= =3D32933 > also, if i work with simple snort, stream4 reassemble only max 65 KB for > the reason that you have got me.right? > Can i change the constant MAX_STREAM_SIZE?or is a limit and PCAP fail? > > 2005/10/25, Victor Julien <vi...@nk...>: > > > Ok, i've found the problem, the maximum packet that arrive me is 65 K= B > > > over > > > 220 KB; someone can say me if it is normal that stream4 don't reassem= ble > > > the > > > whole stream? I'm doing university thesis.Tnx > > > > > Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC. > > > > Regards, > > Victor > > > > > > > > > > -- > > China |
|
From: davide b. <dav...@gm...> - 2005-11-18 18:13:42
|
I'va a new problem with snort inline + clamav...now when catch a virus the file isn't downloaded, but the browser crash...someone know why? Tnx -- China |
|
From: Will M. <wil...@gm...> - 2005-11-18 18:41:03
|
crappy browser code ;-) Regards, Will On 11/18/05, davide belloni <dav...@gm...> wrote: > I'va a new problem with snort inline + clamav...now when catch a virus th= e > file isn't downloaded, but the browser crash...someone know why? Tnx > -- > > China |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X