snort_inline

Link   http://snort-inline.sourceforge.net/oldhome.html

What is snort_inline?

snort_inline is basically a modified version of Snort that accepts packets from iptables andIPFW via libipq(linux) or divert sockets(FreeBSD), instead of libpcap. It then uses new rule types (drop, sdrop, reject) to tell iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set.  Think of this as an Intrusion Prevention System (IPS) that uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that traverse snort_inline.

Contact Info

The code is currently maintained by William Metcalf and Victor Julien. Major contributions have also come from Dave Remien and Nick Rogness. Check out the monitored snort_inline mailing list for discussions on bugs and enhancements.  You must become a member in order to be able to send and receive messages to and from this mailing list.  This was done in order to reduce the amount of spam.  Click hereand follow the directions to become a member.

Downloads

snort_inline comes in three forms: source code, statically compiled binary, and patch.

https://sourceforge.net/projects/snort-inline/files/

https://sourceforge.net/projects/snort-inline/files/snort_inline%20source%20%282.6.x%29/snort_inline-2.6.1.5/snort_inline-2.6.1.5.tar.gz/download

https://sourceforge.net/projects/snort-inline/files/snort_inline%20patch%20%282.6.x%29/snort_inline-2.6.1.5/snort_inline-2.6.1.5.diff.tar.gz/download

FAQ

Mailing List

snort-inline-users

The code is currently maintained by William Metcalf.

Links

Related information that may help with the deployment of snort_inline.

    • Ebtables: The bridging firewall kernel patch may be required if you intend to use snort_inline on a bridge.
    • Honeynet Project: Contains information regarding the deployment of snort_inline in a honeynet environment.
    • iptables: This is how snort_inline receives packets.
    • Libnet: This library allows snort_inline to reject packets.
    • libpcap: This is the packet capture library used to by snort, snort_inline, and many other network analyzers.
    • Snort: The core of snort_inline.
    • snort_inline:  The SourceForge project page.
    • snort_inline blog:  The snort_inline blog page.

-----------------------------------------------

http://www.clamav.net/documents/clamav-virus-database-faq

I’m running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn’t have to download them from your servers?

Sure, you can find more details on our Mirror page.

  • If you want to take advantage of incremental updates, install a proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf).

  • The second possible solution is to:

  • Configure a local webserver on one of your machines (say machine1.mylan)

  • Let freshclam download the *.cvd files from http://database.clamav.net to the webserver’s DocumentRoot.

  • Finally, change freshclam.conf on your clients so that it includes:

    DatabaseMirror machine1.mylan

    ScriptedUpdates off

    First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it.

    Important: For this to work, you have to add ScriptedUpdates off on all of your machines!

Virus Database

For ClamAV to work properly, both the ClamAV engine and the ClamAV Virus Database (CVD) must be kept up to date.

Freshclam should perform these updates automatically. Instructions for setting up Freshclam can be found in the documentation section. 
If your network is segmented or the end hosts are unable to reach the Internet, you should investigate setting up a private local mirror. If this is not viable, you may use these direct download links:  main.cvd | daily.cvd | bytecode.cvd

http://database.clamav.net/main.cvd
http://database.clamav.net/daily.cvd
http://database.clamav.net/bytecode.cvd

------------------------------------------

Snort-Inline + ClamAV

来源  https://ssorc.tw/273

整合snort-inline與掃毒程式clamav

snort-line會去讀clamav的資料庫病毒碼來過濾所傳送的封包,並擋掉有病毒的封包,但snort-inline+clamav無法擋掉壓縮檔、email附件,及OLE2 病毒

以上來說明來自 README.clamav
 

[1.] apt-get install clamav-db clamav-devel clamav

[2.] 編譯時加入clamav
         ./configure – -enable-clamav

make

make install
 

[3.] vi /etc/snort_inline/snort_inline.conf

preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200

# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode

預設定檔中clamav項目中的file-descriptor-mode參數在新版中已不用了。

設定只要 "preprocessor clamav: ports all !22 !443, dbdir /var/clamav, dbreload-time 43200" 即可,試驗結果它已直接 action-drop了,或者你要將連線一直重置就設定為 action-reset。
            toclientonly只對 gateway後面的作 drop,而 toserveronly則只對 gateway,而 toclientonly與 toserveronly都不用,則雙方應該是都作 drop。

[4.] 下載 eicar測試
         wget http://www.eicar.org/download/eicar.com

病毒

http://www.gfos.hr/~dragovic/nest/

 

[5.] log記錄訊息

[**] [122:1:1] (spp_clamav) Virus Found: Eicar-Test-Signature [**]
12/09-11:18:40.345607 81.3.3.133:80 -> 10.10.1.100:44902
TCP TTL:50 TOS:0x0 ID:2639 IpLen:20 DgmLen:478 DF
***AP*** Seq: 0x7A232F0D Ack: 0x462705E2  Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 63382852 259450410

重要引用:

From: Will Metcalf <william@gm…>
 Eicar and ClamAV
2005-03-12 14:47
 It seems as if the clam guy"s updated the signature database with a new definition for Eicar, and it is no longer detected in the same manner. I was wrong, about Clam being broken as it still seems to pick-up other virii ok. In addition, it appears as if Victor thinks
 he has figured out a way to scan file descriptors via writing packet contents to tmp files. We actually should be able to detect more virii using this method.
 Regards,
 Will

Clamav官方改變了定義,所以測試eicar.com病毒,是失敗的

不過在2006/04/22測試新版的Snort-Inline時,clamav已working

 

註: 2006/04/22

clamav配合 preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000

的時後,一開始的連線是被drop的沒錯,不過要等3000秒後,對目的端的全部連線才能再次溝通。

-------------------------------------

snort_inline with clamav on pfsense

============ End

snort_inline的更多相关文章

随机推荐

  1. js 解析 JSON 数据

    JSON 数据如下: { "name": "mkyong", , "address": { "streetAddress" ...

  2. flutter中的网络请求和下拉刷新上拉加载,toast的案例

    添加依赖 pull_to_refresh: ^1.5.6 dio: ^2.1.0 fluttertoast: ^3.0.1 DioUtil import 'package:dio/dio.dart'; ...

  3. Python3基础 运算 加减乘除、取余数

             Python : 3.7.3          OS : Ubuntu 18.04.2 LTS         IDE : pycharm-community-2019.1.3    ...

  4. Linux记录-史上最全的MySQL高性能优化实战总结(转载)

       史上最全的MySQL高性能优化实战总结! 1.1 前言 MySQL对于很多Linux从业者而言,是一个非常棘手的问题,多数情况都是因为对数据库出现问题的情况和处理思路不清晰.在进行MySQL的优 ...

  5. Spring Cloud 如何使用Eureka注册服务 4.2.2

    要使用Eureka实现服务发现,需要项目中包含Eureka的服务端发现组件以及客户端发现组件. 搭建Maven父工程 创建一个Maven父工程xcservice-springcloud,并在工程的po ...

  6. easyui前台改变datagrid某单元格的值

    有时候前台完成某个操作后要修改datagrid的值, 也许这个datagrid是没有保存的, 所以要修改后才能传递到后台; 也许要其他操作过后才需请求后台; 这些情况都需要前台对datagrid的单元 ...

  7. 【原生JS插件】LoadingBar页面顶部加载进度条

    先展示一下已经实现的效果: 预览地址:http://dtdxrk.github.io/js-plug/LoadingBar/index.html 看到手机上的浏览器内置了页面的加载进度条,想用在pc上 ...

  8. 网站证书(SSL域名证书)常见格式使用

    主流的Web服务软件通常都基于两种基础密码库:OpenSSL和Java 1.Tomcat.Weblogic.JBoss等系统是使用Java提供的密码库.通过Java的Keytool工具,生成Java ...

  9. 我的Java之路

    前言: 之前在学习python,刚开始的时候跟多数小白一样学习一些基础的知识,比如数据类型,用法,基本的语言结构,学了一段时间实在是学习不下去了,真是太TMD的无聊了,很多方法都记不住,也不知道学了这 ...

  10. Python 访问一个网址之后输入信息进行检索

    window Python 3 Pycharm软件 from selenium import webdriver #导入Selenium的webdriver from selenium.webdriv ...