Menu
▾
▴
snort-inline-users
|
From: Markus K. <mko...@gm...> - 2004-09-12 04:06:09
|
Hi,
im running snort-inline 2.20rc1 on a debian unstable box,
box is uptodate
i installed clamav from apt
dpkg -l | grep clam
ii clamav 0.75.1-4 Antivirus scanner for Unix
ii clamav-base 0.75.1-4 Base package for clamav, an anti-virus utili
ii clamav-freshcl 0.75.1-4 Downloads clamav virus databases from the In
ii libclamav1 0.75.1-4 Virus scanner library
ii libclamav1-dev 0.75.1-4 Clam Antivirus library development files
and ran
./configure --prefix=/opt/snort-inline/
--with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats
--enable-flexresp --enable-inline --enable-clamav
everything went fine
i setup the config, etc etc etc
and wanted to use clamav
preprocessor stream4_reassemble: both, ports default
preprocessor clamav: ports all, action-reset
i mark packets
via
iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport
80 -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED
--sport 80 -j MARK --set-mark 2
iptables -A OUTPUT -m mark --mark 1 -j QUEUE
iptables -A INTPUT -m mark --mark 2 -j QUEUE
now i download a malicious file i scratched from my mothers harddisk
clamscan bad.exe
bad.exe: Exploit.DCOM.Gen FOUND
----------- SCAN SUMMARY -----------
Known viruses: 23865
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.31 MB
I/O buffer size: 131072 bytes
Time: 0.943 sec (0 m 0 s)
i download it via http and expect something to happen
nothing happens, the file just gets down
i tried wget and mozila
i start snort-inline
./snort_inline -Qvdc ../etc/snort-inline/snort_inline.conf
i can see
....
ClamAV config:
Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Virus found action: RESET
Virus definitions dir: '/var/lib/clamav/'
....
and i can see the stream
and the file is in the stream
...........
00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00 ........NB10....
9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D ...@6...C:\Docum
65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting
73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C s\Alja.\Desktop\
50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63 Prenosi\MeTaL-Sc
52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C RiPt\rxb077Sass\
72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73 rxBot v0.7.7 Sas
73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62 s\Debug\rBot.pdb
00
.............
i tried some other malicious files, nothing ever happend ...
to check my config i enabled the chat rules, joined a irc network, and
this event got logged.
im really helpless, would be great if someone could give me a hint.
Markus
|
|
From: Will M. <wil...@gm...> - 2004-09-12 04:27:35
|
Just to test, try to download the eicar test file from eicar.com http://www.eicar.org/download/eicar.com Let me know what the results are. Sorry if it takes me a little while to get back to you all this weekend. I'm swamped with work stuff. Regards, Will On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> wrote: > Hi, > > im running snort-inline 2.20rc1 on a debian unstable box, > box is uptodate > > i installed clamav from apt > dpkg -l | grep clam > ii clamav 0.75.1-4 Antivirus scanner for Unix > ii clamav-base 0.75.1-4 Base package for clamav, an anti-virus utili > ii clamav-freshcl 0.75.1-4 Downloads clamav virus databases from the In > ii libclamav1 0.75.1-4 Virus scanner library > ii libclamav1-dev 0.75.1-4 Clam Antivirus library development files > > and ran > ./configure --prefix=/opt/snort-inline/ > --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats > --enable-flexresp --enable-inline --enable-clamav > > everything went fine > > i setup the config, etc etc etc > and wanted to use clamav > > preprocessor stream4_reassemble: both, ports default > preprocessor clamav: ports all, action-reset > > i mark packets > via > > iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport > 80 -j MARK --set-mark 1 > iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED > --sport 80 -j MARK --set-mark 2 > > iptables -A OUTPUT -m mark --mark 1 -j QUEUE > iptables -A INTPUT -m mark --mark 2 -j QUEUE > > now i download a malicious file i scratched from my mothers harddisk > > clamscan bad.exe > bad.exe: Exploit.DCOM.Gen FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 23865 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.31 MB > I/O buffer size: 131072 bytes > Time: 0.943 sec (0 m 0 s) > > i download it via http and expect something to happen > nothing happens, the file just gets down > > i tried wget and mozila > > i start snort-inline > ./snort_inline -Qvdc ../etc/snort-inline/snort_inline.conf > > i can see > .... > ClamAV config: > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > Virus found action: RESET > Virus definitions dir: '/var/lib/clamav/' > .... > > and i can see the stream > and the file is in the stream > ........... > 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00 ........NB10.... > 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D ...@6...C:\Docum > 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting > 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C s\Alja.\Desktop\ > 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63 Prenosi\MeTaL-Sc > 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C RiPt\rxb077Sass\ > 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73 rxBot v0.7.7 Sas > 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62 s\Debug\rBot.pdb > 00 > ............. > > i tried some other malicious files, nothing ever happend ... > to check my config i enabled the chat rules, joined a irc network, and > this event got logged. > > im really helpless, would be great if someone could give me a hint. > > Markus > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Victor J. <vi...@nk...> - 2004-09-12 14:06:35
|
You also can try to put the clamav preprocessor directly after the stream4_reassemble preproc in your config. Detecting viruses didn't work for me if i didn't... Hope this helps, Victor On Sunday 12 September 2004 06:27, Will Metcalf wrote: > Just to test, try to download the eicar test file from eicar.com > > http://www.eicar.org/download/eicar.com > > Let me know what the results are. Sorry if it takes me a little while > to get back to you all this weekend. I'm swamped with work stuff. > > Regards, > > Will > > On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> wrote: > > Hi, > > > > im running snort-inline 2.20rc1 on a debian unstable box, > > box is uptodate > > > > i installed clamav from apt > > dpkg -l | grep clam > > ii clamav 0.75.1-4 Antivirus scanner for Unix > > ii clamav-base 0.75.1-4 Base package for clamav, an anti-virus > > utili ii clamav-freshcl 0.75.1-4 Downloads clamav virus databases > > from the In ii libclamav1 0.75.1-4 Virus scanner library > > ii libclamav1-dev 0.75.1-4 Clam Antivirus library development > > files > > > > and ran > > ./configure --prefix=/opt/snort-inline/ > > --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats > > --enable-flexresp --enable-inline --enable-clamav > > > > everything went fine > > > > i setup the config, etc etc etc > > and wanted to use clamav > > > > preprocessor stream4_reassemble: both, ports default > > preprocessor clamav: ports all, action-reset > > > > i mark packets > > via > > > > iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport > > 80 -j MARK --set-mark 1 > > iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED > > --sport 80 -j MARK --set-mark 2 > > > > iptables -A OUTPUT -m mark --mark 1 -j QUEUE > > iptables -A INTPUT -m mark --mark 2 -j QUEUE > > > > now i download a malicious file i scratched from my mothers harddisk > > > > clamscan bad.exe > > bad.exe: Exploit.DCOM.Gen FOUND > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 23865 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.31 MB > > I/O buffer size: 131072 bytes > > Time: 0.943 sec (0 m 0 s) > > > > i download it via http and expect something to happen > > nothing happens, the file just gets down > > > > i tried wget and mozila > > > > i start snort-inline > > ./snort_inline -Qvdc ../etc/snort-inline/snort_inline.conf > > > > i can see > > .... > > ClamAV config: > > Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... > > Virus found action: RESET > > Virus definitions dir: '/var/lib/clamav/' > > .... > > > > and i can see the stream > > and the file is in the stream > > ........... > > 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00 ........NB10.... > > 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D ...@6...C:\Docum > > 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting > > 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C s\Alja.\Desktop\ > > 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63 Prenosi\MeTaL-Sc > > 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C RiPt\rxb077Sass\ > > 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73 rxBot v0.7.7 Sas > > 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62 s\Debug\rBot.pdb > > 00 > > ............. > > > > i tried some other malicious files, nothing ever happend ... > > to check my config i enabled the chat rules, joined a irc network, and > > this event got logged. > > > > im really helpless, would be great if someone could give me a hint. > > > > Markus > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > > Project Admins to receive an Apple iPod Mini FREE for your judgement on > > who ports your project to Linux PPC the best. Sponsored by IBM. > > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X