[Snort-users] Blocking virus with snort inline 2.6.1.5

Will Metcalf william.metcalf at ...11827...
Mon Sep 24 13:56:08 EDT 2007


should be fine.....  Are you by chance going through a proxy server?

Regards,

Will

On 9/24/07, Joel Esler <joel.esler at ...1935...> wrote:
>  Having never worked with the Clamav preprocessor..  Can you do that?
> ports all !22 !443?
>
> Joel
>
>
> On Sep 24, 2007, at 12:17 PM, carlopmart wrote:
>
> carlopmart wrote:
> With this rules is the same result, nothing is blocked:
> iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
> QUEUE
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
> QUEUE
> Will Metcalf wrote:
> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
> sent to the QUEUE as well?
>
> Regards,
>
> Will
>
> On 9/22/07, carlopmart <carlopmart at ...11827...> wrote:
> Hi all,
>
>   After setting up and solve my problems (thanks to all) with snort
> inline version 2.6.1.5, I will try to do some tests for block virus
> across http service.
>
>   I put this line on snort.conf:
>
>   preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
> dbdir /var/clamav, dbreload-time 43200
>
>   before preprocessor http_inspect. My iptables rule to pass control to
> snort inline is:
>
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>
>   I have try to block eicar virus
> (http://www.eicar.org/download/eicar.com) without luck.
>
>   What am I doing wrong???
>
>   Many thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> Please any hints about this??
>
> P.D: I have attached my snort.conf
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> # example Snort_inline configuration file
> # Last modified 26 October, 2005
> #
> # Standard Snort configuration file modified for inline
> # use.  Most preprocessors currently do not work in inline
> # mode, as such they are not included.
> #
>
> ### Network variables
> var HOME_NET 172.25.50.0/24
> var EXTERNAL_NET !$HOME_NET
> var SMTP_SERVERS 172.25.50.15
> #var TELNET_SERVERS
> var HTTP_SERVERS 172.25.50.13
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS 172.25.50.1
>
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var SSH_PORTS 22
>
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> ### As of snort_inline 2.2.0 we drop
> ### packets with bad checksums. We can
> config checksum_mode: all
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /etc/snort_inline
>
> # Various config options
> #config layer2resets
>
>
> ###################################################
> # Step #2: Configure dynamic loaded libraries
>
> dynamicpreprocessor directory
> /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
>
> ###################################################
> # Step #3: Configure preprocessors
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state
> drop, memcap 134217728, timeout 3600, \
>  truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
> preprocessor stream4_reassemble: both, favor_new
> preprocessor stickydrop: max_entries 3000, log
> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
> preprocessor stickydrop-ignorehosts: 172.25.50.0/24
> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
> dbreload-time 43200
> preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map
> 1252
> preprocessor http_inspect_server: server default profile all ports { 80 8080
> 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
> stateful
> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
> alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
>  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt
> { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
> yes telnet_cmds yes
> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
>  alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
> HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
> low }
> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
> preprocessor dns: ports { 53 } enable_rdata_overflow
> preprocessor perfmonitor: time 300 file
> /var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000
>
>
> ####################################################################
> # Step #4: Configure output plugins
>
> #output alert_unified: filename snort.alert, limit 128
> #output log_unified: filename snort.log, limit 128
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
>
> ####################################################################
> # Step #6: Customize your rule set
>
> #include $RULE_PATH/bleeding-malware.rules
> #include $RULE_PATH/community-bot.rules
> #include $RULE_PATH/community-web-client.rules
> #include $RULE_PATH/exploit.rules
> #include $RULE_PATH/spyware-put.rules
> #include $RULE_PATH/web-client.rules
> include $RULE_PATH/bleeding-virus.rules
> include $RULE_PATH/community-virus.rules
> include $RULE_PATH/bleeding-malware.rules
> #include $RULE_PATH/specific-threats.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/virus.rules
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> joel esler
> http://demo.sourcefire.com/jesler.pgp.key
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list