Menu
▾
▴
snort-inline-users
|
From: Holger M. <gan...@mo...> - 2005-09-07 10:26:16
|
Hi, As i told i'm working on my Thesis at the FH Cologne. And you know Students have to know how it work and they have to show that it work. My Professor wants to see that. I got Snort-Inline with ClamAV and a mysqldatabase on an IP-tabes Firewall. (the Database is in the internal net.) Is seems that all look well. I testet the Snort/firewall with nessus and i think ist good. Snort inline fished out over 450 Packets. I can see that with Base. And nessus show that only SSH is critcal. Are there more posibilitys to got Testresults that i can show my Professor? Especially i want to test the ClamAV preprocessor. Will wrote that eicar changed their side. How can i test if ClamAV work? Thank you Best regards Holger |
|
From: Victor J. <vi...@nk...> - 2005-09-07 10:31:16
|
> Will wrote that eicar changed their side. How can i test if ClamAV work? I think the easiest way would be to put a virus on an ftp-server and then try to download it through the snort_inline firewall. Good luck, Victor |
|
From: Holger M. <gan...@mo...> - 2005-09-07 20:13:49
|
Hmm? and where can i get a Virus for testing? Or is there a known webpage with a virus? Victor Julien schrieb: >> Will wrote that eicar changed their side. How can i test if ClamAV work? > > > I think the easiest way would be to put a virus on an ftp-server and > then try to download it through the snort_inline firewall. > > Good luck, > Victor > |
|
From: Cole <co...@op...> - 2005-09-07 20:38:51
|
Hi. This website has a collection of virii. http://vx.netlux.org/ The problem is that clamav does not pickup a large amount of virii on the actual page, but it does pickup quite a lot. So try it out with that. /Cole -----Original Message----- From: sno...@li... [mailto:sno...@li...] On Behalf Of Holger Moskopp Sent: Wednesday, September 07, 2005 10:14 PM To: Victor Julien Cc: sno...@li... Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do Hmm? and where can i get a Virus for testing? Or is there a known webpage with a virus? Victor Julien schrieb: >> Will wrote that eicar changed their side. How can i test if ClamAV work? > > > I think the easiest way would be to put a virus on an ftp-server and > then try to download it through the snort_inline firewall. > > Good luck, > Victor > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Holger M. <gan...@mo...> - 2005-09-26 20:38:08
|
Hi, i tested in the meantime a lot of virii from that page. But no one was alerted by ClamAV and Snort-inline. Could it be, that ClamAV isn`t correct installed? I got a Debian Sarge and installed it with apt-get install clamav. but there is only the viridataset and the freshclamavdeamon. Could it be that i need the deamon clamd? How could i find out, if clamav is correct installed for the use of Snort-inline? Many greetings Holger Cole schrieb: > >Hi. > >This website has a collection of virii. http://vx.netlux.org/ The problem is that clamav does not >pickup a large amount of virii on the actual page, but it does pickup quite a lot. So try it out >with that. > >/Cole > >-----Original Message----- >From: sno...@li... >[mailto:sno...@li...] On Behalf Of Holger Moskopp >Sent: Wednesday, September 07, 2005 10:14 PM >To: Victor Julien >Cc: sno...@li... >Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do > >Hmm? and where can i get a Virus for testing? > >Or is there a known webpage with a virus? > > >Victor Julien schrieb: > > > >>>Will wrote that eicar changed their side. How can i test if ClamAV work? >>> >>> >>I think the easiest way would be to put a virus on an ftp-server and >>then try to download it through the snort_inline firewall. >> >>Good luck, >>Victor >> >> >> > > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Will M. <wil...@gm...> - 2005-09-27 19:56:52
|
Did you actually download unzip and try to move the extracted viri through the inline box? Remember, we can't deal with zipped files and all files on this site are zipped. We cannot unzip because we are only scanning fragments of files. Regards, Will On 9/26/05, Holger Moskopp <gan...@mo...> wrote: > Hi, > > i tested in the meantime a lot of virii from that page. > But no one was alerted by ClamAV and Snort-inline. > > Could it be, that ClamAV isn`t correct installed? > I got a Debian Sarge and installed it with apt-get install clamav. > but there is only the viridataset and the freshclamavdeamon. > Could it be that i need the deamon clamd? > > How could i find out, if clamav is correct installed for the use > of Snort-inline? > > Many greetings > Holger > > Cole schrieb: > > Hi. > > This website has a collection of virii. http://vx.netlux.org/ The problem= is > that clamav does not > pickup a large amount of virii on the actual page, but it does pickup qui= te > a lot. So try it out > with that. > > /Cole > > -----Original Message----- > From: sno...@li... > [mailto:sno...@li...] On > Behalf Of Holger Moskopp > Sent: Wednesday, September 07, 2005 10:14 PM > To: Victor Julien > Cc: sno...@li... > Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do > > Hmm? and where can i get a Virus for testing? > > Or is there a known webpage with a virus? > > > Victor Julien schrieb: > > > > > Will wrote that eicar changed their side. How can i test if ClamAV work? > > I think the easiest way would be to put a virus on an ftp-server and > then try to download it through the snort_inline firewall. > > Good luck, > Victor > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > |
|
From: Holger M. <gan...@mo...> - 2005-10-19 14:47:05
|
Hi, sorry for my late answer, but i was also busy with that SIP/RTP-stuff. I built an island-solution, so that nothing could happen with that viri. :( | Client |-----------| FW-With snortinline and clamav |--------| ftp-server | On the server i unziped the viri and tryed to fetch them via FTP to the client. But nothing happen on Clamav. I got the viri on the client. No logs in the mysql-database from snort-inline. I contolled if the viri in the clamav database. - They are. Then i fetched the Exploid.HTML.Mht to the Firewall and tested with clamscan if clamav is able to detect it. - It is! But in the teamwork with snort-inline nothing happen. Here are my FTP iptables rules: $IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE $IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE .... $IPTABLES -t mangle -A FORWARD -i $INTERN_ETH -o $EXTERN_ETH -p tcp --dport 20:21 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -i $EXTERN_ETH -o $INTERN_ETH -p tcp --sport 20:21 -m state --state ESTABLISHED -j MARK --set-mark 2 I can see on the Firewall that the packets are inspected by snort-inline - but nothing happen. Any ideas where the mistake is? Thank you. best regards Holger Will Metcalf schrieb: >Did you actually download unzip and try to move the extracted viri >through the inline box? Remember, we can't deal with zipped files and >all files on this site are zipped. We cannot unzip because we are >only scanning fragments of files. > >Regards, > >Will > >On 9/26/05, Holger Moskopp <gan...@mo...> wrote: > > >> Hi, >> >> i tested in the meantime a lot of virii from that page. >> But no one was alerted by ClamAV and Snort-inline. >> >> Could it be, that ClamAV isn`t correct installed? >> I got a Debian Sarge and installed it with apt-get install clamav. >> but there is only the viridataset and the freshclamavdeamon. >> Could it be that i need the deamon clamd? >> >> How could i find out, if clamav is correct installed for the use >> of Snort-inline? >> >> Many greetings >> Holger >> >> Cole schrieb: >> >>Hi. >> >>This website has a collection of virii. http://vx.netlux.org/ The problem is >>that clamav does not >>pickup a large amount of virii on the actual page, but it does pickup quite >>a lot. So try it out >>with that. >> >>/Cole >> >>-----Original Message----- >>From: sno...@li... >>[mailto:sno...@li...] On >>Behalf Of Holger Moskopp >>Sent: Wednesday, September 07, 2005 10:14 PM >>To: Victor Julien >>Cc: sno...@li... >>Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do >> >>Hmm? and where can i get a Virus for testing? >> >>Or is there a known webpage with a virus? >> >> >>Victor Julien schrieb: >> >> >> >> >> Will wrote that eicar changed their side. How can i test if ClamAV work? >> >> I think the easiest way would be to put a virus on an ftp-server and >>then try to download it through the snort_inline firewall. >> >>Good luck, >>Victor >> >> >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> >> >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X