Menu
▾
▴
snort-inline-users
|
From: Cooper F. N. <cn...@uc...> - 2007-03-02 23:08:08
|
Hi, I'm currently evaluating the possibility of using snort-inline as a malware/phishing filter on an existing squid cache. I would appreciate some feedback/suggestions on a few issues. Performance is critical. Does --enable-nfnetlink help in this regard? Are there any other suggestions to optimize deployment, other than simply enabling only the rules/preprocessors appropriate for web traffic? As a feature request, would it be possible to add an iptables client re-direct to the clamav preprocessor and rule syntax? I would like to implement something like SquidClamAV project where users are presented with a page detailing that the site is blocked and why. -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-05 13:26:30
|
Why would you not use and or extend HAVP? http://www.server-side.de/ On 3/2/07, Cooper F. Nelson <cn...@uc...> wrote: > > Hi, > > I'm currently evaluating the possibility of using snort-inline as a > malware/phishing filter on an existing squid cache. > > I would appreciate some feedback/suggestions on a few issues. > > Performance is critical. Does --enable-nfnetlink help in this regard? > Are there any other suggestions to optimize deployment, other than > simply enabling only the rules/preprocessors appropriate for web traffic? > > As a feature request, would it be possible to add an iptables client > re-direct to the clamav preprocessor and rule syntax? I would like to > implement something like SquidClamAV project where users are presented > with a page detailing that the site is blocked and why. > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Cooper F. N. <cn...@uc...> - 2007-03-06 21:01:43
|
I did not know about it! Thanks for the tip, I will look into it. I've also seen the squidclamav product, http://www.samse.fr/GPL/ , which I was not able to get to work. I was able to get the snort-inline based solution working pretty easily and blocking on virus, phishing and web client exploits; however the bad packet is just dropped. No way currently to alert the user of malicious content. My problem with both of these projects is that they are basically AV based, where I want AV + web client exploits. Maybe the right thing to do is write a parser that can read snort rules and generate clamav sigs from them. I guess I could also create a daemon to read the snort logs or database and creates IP tables based rule on that. -Cooper Will Metcalf wrote: > Why would you not use and or extend HAVP? > > http://www.server-side.de/ > > On 3/2/07, *Cooper F. Nelson* < cn...@uc... > <mailto:cn...@uc...>> wrote: > > Hi, > > I'm currently evaluating the possibility of using snort-inline as a > malware/phishing filter on an existing squid cache. > > I would appreciate some feedback/suggestions on a few issues. > > Performance is critical. Does --enable-nfnetlink help in this regard? > Are there any other suggestions to optimize deployment, other than > simply enabling only the rules/preprocessors appropriate for web > traffic? > > As a feature request, would it be possible to add an iptables client > re-direct to the clamav preprocessor and rule syntax? I would like to > implement something like SquidClamAV project where users are presented > with a page detailing that the site is blocked and why. > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... <mailto:cn...@uc...> x41042 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net 's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > <mailto:Sno...@li...> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-06 22:25:05
|
why not just your traffic through squid and snort_inline? On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > > > Will Metcalf wrote: > > Why would you not use and or extend HAVP? > > > > http://www.server-side.de/ > > > > On 3/2/07, *Cooper F. Nelson* < cn...@uc... > > <mailto:cn...@uc...>> wrote: > > > > Hi, > > > > I'm currently evaluating the possibility of using snort-inline as a > > malware/phishing filter on an existing squid cache. > > > > I would appreciate some feedback/suggestions on a few issues. > > > > Performance is critical. Does --enable-nfnetlink help in this > regard? > > Are there any other suggestions to optimize deployment, other than > > simply enabling only the rules/preprocessors appropriate for web > > traffic? > > > > As a feature request, would it be possible to add an iptables client > > re-direct to the clamav preprocessor and rule syntax? I would like > to > > implement something like SquidClamAV project where users are > presented > > with a page detailing that the site is blocked and why. > > > > -- > > Cooper Nelson > > Network Security Analyst > > UCSD ACS/Network Operations > > cn...@uc... <mailto:cn...@uc...> x41042 > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net 's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > |
|
From: Cooper F. N. <cn...@uc...> - 2007-03-07 00:36:10
|
I have done this and it works great, in that malicious content does not make it into the squid cache. Its pretty fast and uses both clamav and snort sigs, so I'm covered for virus, malware, phishing and web client exploits. Once content is validated it sits in the squid cache for fast retrieval. The only problem is that the page just hangs in the browser until it times out. I've been trying to figure out a way to hijack the session and redirect it to a page that would alert the reader to the malicious content and block the offending site for some period of time. My initial opinion was that the bait'n'switch code could be turned on its ear and proxy the source of the attack, rather than the destination. However, in retrospect this seems clunky and would not work with the clamav preprocessor (I don't think). My current thinking is either to punt the whole thing and just use HAVP, or setup a named pipe to write snort alerts to and create some sort of daemon to create IP tables rules based on alerts piped to it. -Cooper Will Metcalf wrote: > why not just your traffic through squid and snort_inline? > > On 3/6/07, *Cooper F. Nelson* <cn...@uc... > <mailto:cn...@uc...>> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the > bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-07 01:30:20
|
As long as you are forcing HAVP to be your upstream proxy you should get back a "page has been blocked because of virus xyz" message...... Make sure you have ALL of the lines listed on the FAQ page... acl all src 0.0.0.0/0.0.0.0 cache_peer 127.0.0.1 parent 8000 0 no-query no-digest no-netdb-exchange default cache_peer_access 127.0.0.1 allow all acl Scan_HTTP proto HTTP never_direct allow Scan_HTTP Regards, Will On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote: > > I have done this and it works great, in that malicious content does not > make it into the squid cache. Its pretty fast and uses both clamav and > snort sigs, so I'm covered for virus, malware, phishing and web client > exploits. Once content is validated it sits in the squid cache for fast > retrieval. > > The only problem is that the page just hangs in the browser until it > times out. I've been trying to figure out a way to hijack the session > and redirect it to a page that would alert the reader to the malicious > content and block the offending site for some period of time. > > My initial opinion was that the bait'n'switch code could be turned on > its ear and proxy the source of the attack, rather than the destination. > However, in retrospect this seems clunky and would not work with the > clamav preprocessor (I don't think). > > My current thinking is either to punt the whole thing and just use HAVP, > or setup a named pipe to write snort alerts to and create some sort of > daemon to create IP tables rules based on alerts piped to it. > > -Cooper > > > Will Metcalf wrote: > > why not just your traffic through squid and snort_inline? > > > > On 3/6/07, *Cooper F. Nelson* <cn...@uc... > > <mailto:cn...@uc...>> wrote: > > > > I did not know about it! Thanks for the tip, I will look into it. > > > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > > , which I was not able to get to work. > > > > I was able to get the snort-inline based solution working pretty > easily > > and blocking on virus, phishing and web client exploits; however the > > bad > > packet is just dropped. No way currently to alert the user of > malicious > > content. > > > > My problem with both of these projects is that they are basically AV > > based, where I want AV + web client exploits. Maybe the right thing > to > > do is write a parser that can read snort rules and generate clamav > sigs > > from them. > > > > I guess I could also create a daemon to read the snort logs or > database > > and creates IP tables based rule on that. > > > > -Cooper > > > > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X