[Snort-users] snort 2.4.3 Clamav problems

Lezgin Bakircioglu lerra82 at ...11827...
Thu May 11 01:31:04 EDT 2006


Hi, I have a huge problem that I have struggled for 4 days now and I am 
going crazy. The problem is that it only find virus that I am trying to 
download from port 21 and not 80 and 139. It workt 1-2 weeks ago for all 
ports but now I have no idea what I did wrong, the output of snort says 
that its listning on all ports both for steam4 and clamav but it does 
not trigger.


I have a snort 2.4.3 witch applyed spade and Clamav patch, this is how I 
installed it:
tar zxfv snort-2.4.3.tar.gz
cd snort-2.4.3
patch -p1 < ../../spade-2.4.3.diff
patch -p1 <../../snort-2.4.3-clamonly.diff
autoconf -f
./configure --enable-clamav
sh autojunk.sh
make
Failed compilation, adding spp_clamav.$(OBJEXT) to am_libspp_a_OBJECTS 
(line 129)
make
make install

This is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.1$
var RULE_PATH ../rules
config disable_decode_alerts
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble: both, ports all
preprocessor clamav: ports all, toclientonly, dbdir /var/lib/clamav,
preprocessor http_inspect: global \
     iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
     profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto  { all } \
                          memcap { 10000000 } \
                          sense_level { low }
preprocessor xlink2The machine that I am running on is my gateway that 
nat me out, on the external network i have a smb/ftp and www service 
that is sharing a known testvirus clamav triggers on.
Traceroute to the machine shows me that I am going the right way.
Running kernel is 2.6.16 and dist debian sarge 3.1.state: ports { 25 691 }
include classification.config
include reference.config


This is the output of snort -c snort.conf -i eth0 -A console

Running in IDS mode

Initializing Network Interface eth0

         --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
     Max frags: 65536
     Fragment memory cap: 4194304 bytes
Frag3 engine config:
     Target-based policy: FIRST
     Fragment timeout: 60 seconds
     Fragment min_ttl:   1
     Fragment ttl_limit: 5
     Fragment Problems: 1
     Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
     Stateful inspection: ACTIVE
     Session statistics: INACTIVE
     Session timeout: 30 seconds
     Session memory cap: 8388608 bytes
     Session count max: 8192 sessions
     Session cleanup count: 5
     State alerts: INACTIVE
     Evasion alerts: INACTIVE
     Scan alerts: INACTIVE
     Log Flushed Streams: INACTIVE
     MinTTL: 1
     TTL Limit: 5
     Async Link: 0
     State Protection: 0
     Self preservation threshold: 50
     Self preservation period: 90
     Suspend threshold: 200
     Suspend period: 30
     Enforce TCP State: INACTIVE
     Midstream Drop Alerts: INACTIVE
     Server Data Inspection Limit: -1
WARNING snort.conf.ba(19) => flush_behavior set in config file, using 
old static flushpoints (0)
Stream4_reassemble config:
     Server reassembly: ACTIVE
     Client reassembly: ACTIVE
     Reassembler alerts: ACTIVE
     Zero out flushed packets: INACTIVE
     Flush stream on alert: INACTIVE
     flush_data_diff_size: 500
     Reassembler Packet Preferance : Favor Old
     Packet Sequence Overlap Limit: -1
     Flush behavior: Small (<255 bytes)
     Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
ClamAV config:
     Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
     Virus definitions dir: '/var/lib/clamav'
     Virus DB reload time: '43200'
     Scan only traffic to the client
     File descriptor scanning mode: Enabled, using cl_scandesc
     Directory for tempfiles (file descriptor mode): '/tmp'
LibClamAV Warning: ********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.  ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
LibClamAV Warning: ********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.  ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
HttpInspect Config:
     GLOBAL CONFIG
       Max Pipeline Requests:    0
       Inspection Type:          STATELESS
       Detect Proxy Usage:       NO
       IIS Unicode Map Filename: ./unicode.map
       IIS Unicode Map Codepage: 1252
     DEFAULT SERVER CONFIG:
       Ports: 80 8080 8180
       Flow Depth: 300
       Max Chunk Length: 500000
       Inspect Pipeline Requests: YES
       URI Discovery Strict Mode: NO
       Allow Proxy Usage: NO
       Disable Alerting: NOdbreload-t$
       Oversize Dir Length: 500
       Only inspect URI: NO
       Ascii: YES alert: NO
       Double Decoding: YES alert: YES
       %U Encoding: YES alert: YES
       Bare Byte: YES alert: YES
       Base36: OFF
       UTF 8: OFF
       IIS Unicode: YES alert: YES
       Multiple Slash: YES alert: NO
       IIS Backslash: YES alert: NO
       Directory Traversal: YES alert: NO
       Web Root Traversal: YES alert: YES
       Apache WhiteSpace: YES alert: NO
       IIS Delimiter: YES alert: NO
       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
       Non-RFC Compliant Characters: NONE
rpc_decode arguments:
     Ports to decode RPC on: 111 32771
     alert_fragments: INACTIVE
     alert_large_fragments: ACTIVE
     alert_incomplete: ACTIVE
     alert_multiple_requests: ACTIVE
telnet_decode arguments:
     Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
     Detect Protocols:  TCP UDP ICMP IP
     Detect Scan Type:  portscan portsweep decoy_portscan 
distributed_portscan
     Sensitivity Level: Low
     Memcap (in bytes): 10000000
     Number of Nodes:   36900

X-Link2State Config:
     Ports: 25 691
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->drop->alert->pass->log
Log directory = /var/log/snort

         --== Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.4.3 (Build 26)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/team.html
            (C) Copyright 1998-2005 Sourcefire Inc., et al.
  NOTE: Snort's default output has changed in version 2.4.1!
        The default logging mode is now PCAP, use "-K ascii" to activate
        the old default logging mode.



The machine that I am running on is my gateway that nat me out, on the 
external network i have a smb/ftp and www service that is sharing a 
known testvirus clamav triggers on.
Traceroute to the machine shows me that I am going the right way.
Running kernel is 2.6.16 and dist debian sarge 3.1.




More information about the Snort-users mailing list