[Snort-users] Blocking virus with snort inline 2.6.1.5

carlopmart carlopmart at ...11827...
Mon Sep 24 14:12:41 EDT 2007


No, this snort is between my laptop and internet firewall ....


Will Metcalf wrote:
> should be fine.....  Are you by chance going through a proxy server?
> 
> Regards,
> 
> Will
> 
> On 9/24/07, Joel Esler <joel.esler at ...1935...> wrote:
>>  Having never worked with the Clamav preprocessor..  Can you do that?
>> ports all !22 !443?
>>
>> Joel
>>
>>
>> On Sep 24, 2007, at 12:17 PM, carlopmart wrote:
>>
>> carlopmart wrote:
>> With this rules is the same result, nothing is blocked:
>> iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
>> QUEUE
>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED -j
>> QUEUE
>> Will Metcalf wrote:
>> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
>> sent to the QUEUE as well?
>>
>> Regards,
>>
>> Will
>>
>> On 9/22/07, carlopmart <carlopmart at ...11827...> wrote:
>> Hi all,
>>
>>   After setting up and solve my problems (thanks to all) with snort
>> inline version 2.6.1.5, I will try to do some tests for block virus
>> across http service.
>>
>>   I put this line on snort.conf:
>>
>>   preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
>> dbdir /var/clamav, dbreload-time 43200
>>
>>   before preprocessor http_inspect. My iptables rule to pass control to
>> snort inline is:
>>
>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>>
>>   I have try to block eicar virus
>> (http://www.eicar.org/download/eicar.com) without luck.
>>
>>   What am I doing wrong???
>>
>>   Many thanks.
>>
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>
>> Please any hints about this??
>>
>> P.D: I have attached my snort.conf
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>> # example Snort_inline configuration file
>> # Last modified 26 October, 2005
>> #
>> # Standard Snort configuration file modified for inline
>> # use.  Most preprocessors currently do not work in inline
>> # mode, as such they are not included.
>> #
>>
>> ### Network variables
>> var HOME_NET 172.25.50.0/24
>> var EXTERNAL_NET !$HOME_NET
>> var SMTP_SERVERS 172.25.50.15
>> #var TELNET_SERVERS
>> var HTTP_SERVERS 172.25.50.13
>> var SQL_SERVERS $HOME_NET
>> var DNS_SERVERS 172.25.50.1
>>
>> var HTTP_PORTS 80
>> var SHELLCODE_PORTS !80
>> var ORACLE_PORTS 1521
>> var SSH_PORTS 22
>>
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /etc/snort_inline
>>
>> # Various config options
>> #config layer2resets
>>
>>
>> ###################################################
>> # Step #2: Configure dynamic loaded libraries
>>
>> dynamicpreprocessor directory
>> /usr/local/lib/snort_dynamicpreprocessor/
>> dynamicengine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>>
>> ###################################################
>> # Step #3: Configure preprocessors
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state
>> drop, memcap 134217728, timeout 3600, \
>>  truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
>> preprocessor stream4_reassemble: both, favor_new
>> preprocessor stickydrop: max_entries 3000, log
>> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
>> preprocessor stickydrop-ignorehosts: 172.25.50.0/24
>> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
>> dbreload-time 43200
>> preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map
>> 1252
>> preprocessor http_inspect_server: server default profile all ports { 80 8080
>> 8180 } oversize_dir_length 500
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
>> stateful
>> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
>> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
>> alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
>>  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt
>> { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
>> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
>> yes telnet_cmds yes
>> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
>> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
>>  alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
>> HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
>> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
>> low }
>> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>> preprocessor perfmonitor: time 300 file
>> /var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000
>>
>>
>> ####################################################################
>> # Step #4: Configure output plugins
>>
>> #output alert_unified: filename snort.alert, limit 128
>> #output log_unified: filename snort.log, limit 128
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>>
>> ####################################################################
>> # Step #6: Customize your rule set
>>
>> #include $RULE_PATH/bleeding-malware.rules
>> #include $RULE_PATH/community-bot.rules
>> #include $RULE_PATH/community-web-client.rules
>> #include $RULE_PATH/exploit.rules
>> #include $RULE_PATH/spyware-put.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/bleeding-virus.rules
>> include $RULE_PATH/community-virus.rules
>> include $RULE_PATH/bleeding-malware.rules
>> #include $RULE_PATH/specific-threats.rules
>> include $RULE_PATH/spyware-put.rules
>> include $RULE_PATH/virus.rules
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> joel esler
>> http://demo.sourcefire.com/jesler.pgp.key
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list