[Snort-users] Blocking virus with snort inline 2.6.1.5

Joel Esler joel.esler at ...1935...
Mon Sep 24 12:28:25 EDT 2007


Having never worked with the Clamav preprocessor..  Can you do that?
ports all !22 !443?

Joel

On Sep 24, 2007, at 12:17 PM, carlopmart wrote:

> carlopmart wrote:
>> With this rules is the same result, nothing is blocked:
>> iptables -A INPUT -i br0 -p 0 -m state --state  
>> NEW,RELATED,ESTABLISHED -j QUEUE
>> iptables -A FORWARD -i br0 -p 0 -m state --state  
>> NEW,RELATED,ESTABLISHED -j QUEUE
>> Will Metcalf wrote:
>>> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
>>> sent to the QUEUE as well?
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On 9/22/07, carlopmart <carlopmart at ...11827...> wrote:
>>>> Hi all,
>>>>
>>>>   After setting up and solve my problems (thanks to all) with snort
>>>> inline version 2.6.1.5, I will try to do some tests for block virus
>>>> across http service.
>>>>
>>>>   I put this line on snort.conf:
>>>>
>>>>   preprocessor clamav: ports all !22 !443, toclientonly, action- 
>>>> drop,
>>>> dbdir /var/clamav, dbreload-time 43200
>>>>
>>>>   before preprocessor http_inspect. My iptables rule to pass  
>>>> control to
>>>> snort inline is:
>>>>
>>>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>>>>
>>>>   I have try to block eicar virus
>>>> (http://www.eicar.org/download/eicar.com) without luck.
>>>>
>>>>   What am I doing wrong???
>>>>
>>>>   Many thanks.
>>>>
>>>> -- 
>>>> CL Martinez
>>>> carlopmart {at} gmail {d0t} com
>>>>
>>>> ------------------------------------------------------------------- 
>>>> ------
>>>> This SF.net email is sponsored by: Microsoft
>>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>
> Please any hints about this??
>
> P.D: I have attached my snort.conf
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> # example Snort_inline configuration file
> # Last modified 26 October, 2005
> #
> # Standard Snort configuration file modified for inline
> # use.  Most preprocessors currently do not work in inline
> # mode, as such they are not included.
> #
>
> ### Network variables
> var HOME_NET 172.25.50.0/24
> var EXTERNAL_NET !$HOME_NET
> var SMTP_SERVERS 172.25.50.15
> #var TELNET_SERVERS
> var HTTP_SERVERS 172.25.50.13
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS 172.25.50.1
>
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var SSH_PORTS 22
>
> var AIM_SERVERS  
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0 
> / 
> 24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188 
> .153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> ### As of snort_inline 2.2.0 we drop
> ### packets with bad checksums. We can
> config checksum_mode: all
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /etc/snort_inline
>
> # Various config options
> #config layer2resets
>
>
> ###################################################
> # Step #2: Configure dynamic loaded libraries
>
> dynamicpreprocessor directory /usr/local/lib/ 
> snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
>
> ###################################################
> # Step #3: Configure preprocessors
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, stream4inline,  
> enforce_state drop, memcap 134217728, timeout 3600, \
> 			truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
> preprocessor stream4_reassemble: both, favor_new
> preprocessor stickydrop: max_entries 3000, log
> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
> preprocessor stickydrop-ignorehosts: 172.25.50.0/24
> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/ 
> clamav, dbreload-time 43200
> preprocessor http_inspect: global iis_unicode_map $RULE_PATH/ 
> unicode.map 1252
> preprocessor http_inspect_server: server default profile all ports  
> { 80 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global encrypted_traffic yes  
> inspection_type stateful
> preprocessor ftp_telnet_protocol: telnet normalize  
> ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default  
> def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity  
> MODE < char ASBCZ > \
> 		cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >  
> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
> preprocessor ftp_telnet_protocol: ftp client default max_resp_len  
> 256 bounce yes telnet_cmds yes
> preprocessor smtp: ports { 25 } inspection_type stateful normalize  
> cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260  
> { MAIL } \
> 		alt_max_command_line_len 300 { RCPT } alt_max_command_line_len  
> 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
> preprocessor sfportscan: proto  { all } memcap { 10000000 }  
> sense_level { low }
> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
> preprocessor dns: ports { 53 } enable_rdata_overflow
> preprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/ 
> snort.stats pktcnt 10000
>
>
> ####################################################################
> # Step #4: Configure output plugins
>
> #output alert_unified: filename snort.alert, limit 128
> #output log_unified: filename snort.log, limit 128
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
>
> ####################################################################
> # Step #6: Customize your rule set
>
> #include $RULE_PATH/bleeding-malware.rules
> #include $RULE_PATH/community-bot.rules
> #include $RULE_PATH/community-web-client.rules
> #include $RULE_PATH/exploit.rules
> #include $RULE_PATH/spyware-put.rules
> #include $RULE_PATH/web-client.rules
> include $RULE_PATH/bleeding-virus.rules
> include $RULE_PATH/community-virus.rules
> include $RULE_PATH/bleeding-malware.rules
> #include $RULE_PATH/specific-threats.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/virus.rules
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
joel esler
http://demo.sourcefire.com/jesler.pgp.key



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070924/3551efa2/attachment.html>


More information about the Snort-users mailing list