整合snort-inline與掃毒程式clamav

snort-line會去讀clamav的資料庫病毒碼來過濾所傳送的封包,並擋掉有病毒的封包,但snort-inline+clamav無法擋掉壓縮檔、email附件,及OLE2 病毒

      以上來說明來自 README.clamav
 

[1.] apt-get install clamav-db clamav-devel clamav
 

[2.] 編譯時加入clamav
         ./configure – -enable-clamav

         make

         make install
 

[3.] vi /etc/snort_inline/snort_inline.conf

preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200

# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode

            預設定檔中clamav項目中的file-descriptor-mode參數在新版中已不用了。

            設定只要 "preprocessor clamav: ports all !22 !443, dbdir /var/clamav, dbreload-time 43200" 即可,試驗結果它已直接 action-drop了,或者你要將連線一直重置就設定為 action-reset。
            toclientonly只對 gateway後面的作 drop,而 toserveronly則只對 gateway,而 toclientonly與 toserveronly都不用,則雙方應該是都作 drop。

[4.] 下載 eicar測試
         wget http://www.eicar.org/download/eicar.com

      病毒

         http://www.gfos.hr/~dragovic/nest/

 

[5.] log記錄訊息

[**] [122:1:1] (spp_clamav) Virus Found: Eicar-Test-Signature [**]
12/09-11:18:40.345607 81.3.3.133:80 -> 10.10.1.100:44902
TCP TTL:50 TOS:0x0 ID:2639 IpLen:20 DgmLen:478 DF
***AP*** Seq: 0x7A232F0D Ack: 0x462705E2  Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 63382852 259450410

重要引用:

From: Will Metcalf <william@gm…>
 Eicar and ClamAV
2005-03-12 14:47
 It seems as if the clam guy"s updated the signature database with a new definition for Eicar, and it is no longer detected in the same manner. I was wrong, about Clam being broken as it still seems to pick-up other virii ok. In addition, it appears as if Victor thinks
 he has figured out a way to scan file descriptors via writing packet contents to tmp files. We actually should be able to detect more virii using this method.
 Regards,
 Will

      Clamav官方改變了定義,所以測試eicar.com病毒,是失敗的

 

 

      不過在2006/04/22測試新版的Snort-Inline時,clamav已working

 

註: 2006/04/22

clamav配合 preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000

的時後,一開始的連線是被drop的沒錯,不過要等3000秒後,對目的端的全部連線才能再次溝通。

 

Related posts 相關文章
新一代入侵偵測/防護系統 Snort++,就是 Snort 3 啦
More...
Snort 官網改版,較清楚乾淨
More...
Sourcefire 被 Cisco 買走了,但承諾 Snort 持續為 OpenSource ?
More...
snort 規則管理,pulledpork
More...

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。