snort_inline
snort_inline
Link http://snort-inline.sourceforge.net/oldhome.html
What is snort_inline?
snort_inline is basically a modified version of Snort that accepts packets from iptables andIPFW via libipq(linux) or divert sockets(FreeBSD), instead of libpcap. It then uses new rule types (drop, sdrop, reject) to tell iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. Think of this as an Intrusion Prevention System (IPS) that uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that traverse snort_inline.
Contact Info
The code is currently maintained by William Metcalf and Victor Julien. Major contributions have also come from Dave Remien and Nick Rogness. Check out the monitored snort_inline mailing list for discussions on bugs and enhancements. You must become a member in order to be able to send and receive messages to and from this mailing list. This was done in order to reduce the amount of spam. Click hereand follow the directions to become a member.
Downloads
snort_inline comes in three forms: source code, statically compiled binary, and patch.
https://sourceforge.net/projects/snort-inline/files/
FAQ
- I am having problems compiling snort_inline.
- I am having problems running snort_inline.
- Snort_inline is not dropping any packets.
- Which version of libnet do I need?
- I want to handle only selected traffic with snort_inline
Mailing List
The code is currently maintained by William Metcalf.
Links
Related information that may help with the deployment of snort_inline.
- Ebtables: The bridging firewall kernel patch may be required if you intend to use snort_inline on a bridge.
- Honeynet Project: Contains information regarding the deployment of snort_inline in a honeynet environment.
- iptables: This is how snort_inline receives packets.
- Libnet: This library allows snort_inline to reject packets.
- libpcap: This is the packet capture library used to by snort, snort_inline, and many other network analyzers.
- Snort: The core of snort_inline.
- snort_inline: The SourceForge project page.
- snort_inline blog: The snort_inline blog page.
-----------------------------------------------
http://www.clamav.net/documents/clamav-virus-database-faq
I’m running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn’t have to download them from your servers?
Sure, you can find more details on our Mirror page.
If you want to take advantage of incremental updates, install a proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf).
The second possible solution is to:
Configure a local webserver on one of your machines (say
machine1.mylan
)Let freshclam download the
*.cvd
files from http://database.clamav.net to the webserver’s DocumentRoot.Finally, change
freshclam.conf
on your clients so that it includes:DatabaseMirror machine1.mylan
ScriptedUpdates off
First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it.
Important: For this to work, you have to add
ScriptedUpdates off
on all of your machines!
Virus Database
For ClamAV to work properly, both the ClamAV engine and the ClamAV Virus Database (CVD) must be kept up to date.
Freshclam should perform these updates automatically. Instructions for setting up Freshclam can be found in the documentation section.
If your network is segmented or the end hosts are unable to reach the Internet, you should investigate setting up a private local mirror. If this is not viable, you may use these direct download links: main.cvd | daily.cvd | bytecode.cvd
http://database.clamav.net/main.cvd
http://database.clamav.net/daily.cvd
http://database.clamav.net/bytecode.cvd
------------------------------------------
整合snort-inline與掃毒程式clamav
snort-line會去讀clamav的資料庫病毒碼來過濾所傳送的封包,並擋掉有病毒的封包,但snort-inline+clamav無法擋掉壓縮檔、email附件,及OLE2 病毒
以上來說明來自 README.clamav
[1.] apt-get install clamav-db clamav-devel clamav
[2.] 編譯時加入clamav
./configure – -enable-clamav
make
make install
[3.] vi /etc/snort_inline/snort_inline.conf
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode
預設定檔中clamav項目中的file-descriptor-mode參數在新版中已不用了。
設定只要 "preprocessor clamav: ports all !22 !443, dbdir /var/clamav, dbreload-time 43200" 即可,試驗結果它已直接 action-drop了,或者你要將連線一直重置就設定為 action-reset。
toclientonly只對 gateway後面的作 drop,而 toserveronly則只對 gateway,而 toclientonly與 toserveronly都不用,則雙方應該是都作 drop。
[4.] 下載 eicar測試
wget http://www.eicar.org/download/eicar.com
病毒
http://www.gfos.hr/~dragovic/nest/
[5.] log記錄訊息
[**] [122:1:1] (spp_clamav) Virus Found: Eicar-Test-Signature [**]
12/09-11:18:40.345607 81.3.3.133:80 -> 10.10.1.100:44902
TCP TTL:50 TOS:0x0 ID:2639 IpLen:20 DgmLen:478 DF
***AP*** Seq: 0x7A232F0D Ack: 0x462705E2 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 63382852 259450410
重要引用:
From: Will Metcalf <william@gm…>
Eicar and ClamAV
2005-03-12 14:47
It seems as if the clam guy"s updated the signature database with a new definition for Eicar, and it is no longer detected in the same manner. I was wrong, about Clam being broken as it still seems to pick-up other virii ok. In addition, it appears as if Victor thinks
he has figured out a way to scan file descriptors via writing packet contents to tmp files. We actually should be able to detect more virii using this method.
Regards,
Will
Clamav官方改變了定義,所以測試eicar.com病毒,是失敗的
不過在2006/04/22測試新版的Snort-Inline時,clamav已working
註: 2006/04/22
clamav配合 preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
的時後,一開始的連線是被drop的沒錯,不過要等3000秒後,對目的端的全部連線才能再次溝通。
-------------------------------------
snort_inline with clamav on pfsense
============ End
snort_inline的更多相关文章
随机推荐
- openresty开发系列12--lua介绍及常用数据类型简介
openresty开发系列12--lua介绍及常用数据类型简介 lua介绍 1993 年在巴西里约热内卢天主教大学(Pontifical Catholic University of Rio de ...
- C++17 std::shared_mutex的替代方案boost::shared_mutex
C++17 std::shared_mutex的替代方案boost::shared_mutex C++17boost std::shared_mutex http://en.cppreference ...
- RabbitMQ 入门教程(PHP版) 第一部分:Hello World
abbitMQ是一个消息代理.它的核心原理非常简单:接收和发送消息.你可以把它想像成一个邮局:你把信件放入邮箱,邮递员就会把信件投递到你的收件人处.在这个比喻中,RabbitMQ是一个邮箱.邮局.邮递 ...
- Django安全配置(settings.py)详解
必须配置项 PASSWORD_HASHER 这个配置是在使用Django自带的密码加密函数的时候会使用的加密算法的列表.默认如下: PASSWORD_HASHERS = ( 'django.contr ...
- DEBUG技巧1 SE37将参数保存为测试数据
1. SE37调试函数的时候,将参数保存为测试数据,供下次调试使用, 或者参考标准的赋值进行赋值 2. SE37 ->执行-> 测试序列 测试函数: CO_XT_COMPONENTS_DE ...
- mybatis 级联
级联是一个数据库实体的概念.一对多的级联,一对多的级联,在MyBatis中还有一种被称为鉴别器的级联,它是一种可以选择具体实现类的级联. 级联不是必须的,级联的好处是获取关联数据十分便捷,但是级联过多 ...
- POJ 3903 Stock Exchange 最长上升子序列入门题
题目链接:http://poj.org/problem?id=3903 最长上升子序列入门题. 算法时间复杂度 O(n*logn) . 代码: #include <iostream> #i ...
- Vue + ElementUI的电商管理系统实例03 用户列表
1.通过路由展示用户列表页 新建user文件夹,里面新建Users.vue文件: <template> <div> <h3>用户列表组件</h3> &l ...
- confluence6.14.1linux安装破解
一.简介 Confluence为团队提供一个协作环境.在这里,团队成员齐心协力,各擅其能,协同地编写文档和管理项目.从此打破不同团队.不同部门以及个人之间信息孤岛的僵局,Confluence真正实现了 ...
- TypeScript(二)使用Webpack搭建环境
今天继续来更新,本篇文章我们讲环境搭建,主要分享一些环境搭建的学习资源及安装步骤,解决一些安装时可能会出现的问题.下面就让我们一起进入学习第一步,搭建TypeScript环境:一. 环境搭建1.1. ...