[Snort-users] Blocking virus with snort inline 2.6.1.5

carlopmart carlopmart at ...11827...
Mon Sep 24 12:17:38 EDT 2007


carlopmart wrote:
> With this rules is the same result, nothing is blocked:
> 
> iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED 
> -j QUEUE
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED 
> -j QUEUE
> 
> Will Metcalf wrote:
>> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
>> sent to the QUEUE as well?
>>
>> Regards,
>>
>> Will
>>
>> On 9/22/07, carlopmart <carlopmart at ...11827...> wrote:
>>> Hi all,
>>>
>>>   After setting up and solve my problems (thanks to all) with snort
>>> inline version 2.6.1.5, I will try to do some tests for block virus
>>> across http service.
>>>
>>>   I put this line on snort.conf:
>>>
>>>   preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
>>> dbdir /var/clamav, dbreload-time 43200
>>>
>>>   before preprocessor http_inspect. My iptables rule to pass control to
>>> snort inline is:
>>>
>>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>>>
>>>   I have try to block eicar virus
>>> (http://www.eicar.org/download/eicar.com) without luck.
>>>
>>>   What am I doing wrong???
>>>
>>>   Many thanks.
>>>
>>> -- 
>>> CL Martinez
>>> carlopmart {at} gmail {d0t} com
>>>
>>> ------------------------------------------------------------------------- 
>>>
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
> 
> 

Please any hints about this??

P.D: I have attached my snort.conf
-- 
CL Martinez
carlopmart {at} gmail {d0t} com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort_inline.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070924/c4aa2753/attachment.ksh>


More information about the Snort-users mailing list