|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: carlopmart (carlopmart
gmail.com)
Date: Mon Sep 24 2007 - 11:17:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
carlopmart wrote:
> With this rules is the same result, nothing is blocked:
>
> iptables -A INPUT -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED
> -j QUEUE
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW,RELATED,ESTABLISHED
> -j QUEUE
>
> Will Metcalf wrote:
>> What about your RELATED,ESTABLISHED traffic, doesn't that need to be
>> sent to the QUEUE as well?
>>
>> Regards,
>>
>> Will
>>
>> On 9/22/07, carlopmart <carlopmartgmail.com> wrote:
>>> Hi all,
>>>
>>> After setting up and solve my problems (thanks to all) with snort
>>> inline version 2.6.1.5, I will try to do some tests for block virus
>>> across http service.
>>>
>>> I put this line on snort.conf:
>>>
>>> preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
>>> dbdir /var/clamav, dbreload-time 43200
>>>
>>> before preprocessor http_inspect. My iptables rule to pass control to
>>> snort inline is:
>>>
>>> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>>>
>>> I have try to block eicar virus
>>> (http://www.eicar.org/download/eicar.com) without luck.
>>>
>>> What am I doing wrong???
>>>
>>> Many thanks.
>>>
>>> --
>>> CL Martinez
>>> carlopmart {at} gmail {d0t} com
>>>
>>> -------------------------------------------------------------------------
>>>
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-userslists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>
>
Please any hints about this??
P.D: I have attached my snort.conf
--
CL Martinez
carlopmart {at} gmail {d0t} com
# example Snort_inline configuration file
# Last modified 26 October, 2005
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#
### Network variables
var HOME_NET 172.25.50.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 172.25.50.15
#var TELNET_SERVERS
var HTTP_SERVERS 172.25.50.13
var SQL_SERVERS $HOME_NET
var DNS_SERVERS 172.25.50.1
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline
# Various config options
#config layer2resets
###################################################
# Step #2: Configure dynamic loaded libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
###################################################
# Step #3: Configure preprocessors
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state drop, memcap 134217728, timeout 3600, \
truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.25.50.0/24
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200
preprocessor http_inspect: global iis_unicode_map $RULE_PATH/unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file /var/nsm/snort_data/ids-lan/snort.stats pktcnt 10000
####################################################################
# Step #4: Configure output plugins
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
####################################################################
# Step #6: Customize your rule set
#include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/community-bot.rules
#include $RULE_PATH/community-web-client.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/bleeding-malware.rules
#include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]