[Snort-users] Blocking virus with snort inline 2.6.1.5

carlopmart carlopmart at ...11827...
Sun Sep 23 04:04:39 EDT 2007


With this rules is the same result, nothing is blocked:

iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED 
-j QUEUE
iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED 
-j QUEUE

Will Metcalf wrote:
> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
> sent to the QUEUE as well?
> 
> Regards,
> 
> Will
> 
> On 9/22/07, carlopmart <carlopmart at ...11827...> wrote:
>> Hi all,
>>
>>   After setting up and solve my problems (thanks to all) with snort
>> inline version 2.6.1.5, I will try to do some tests for block virus
>> across http service.
>>
>>   I put this line on snort.conf:
>>
>>   preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
>> dbdir /var/clamav, dbreload-time 43200
>>
>>   before preprocessor http_inspect. My iptables rule to pass control to
>> snort inline is:
>>
>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>>
>>   I have try to block eicar virus
>> (http://www.eicar.org/download/eicar.com) without luck.
>>
>>   What am I doing wrong???
>>
>>   Many thanks.
>>
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list