整合snort-inline與掃毒程式clamav
snort-line會去讀clamav的資料庫病毒碼來過濾所傳送的封包,並擋掉有病毒的封包,但snort-inline+clamav無法擋掉壓縮檔、email附件,及OLE2 病毒
以上來說明來自 README.clamav
[1.] apt-get install clamav-db clamav-devel clamav
[2.] 編譯時加入clamav
./configure – -enable-clamav
make
make install
[3.] vi /etc/snort_inline/snort_inline.conf
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode
預設定檔中clamav項目中的file-descriptor-mode參數在新版中已不用了。
設定只要 "preprocessor clamav: ports all !22 !443, dbdir /var/clamav, dbreload-time 43200" 即可,試驗結果它已直接 action-drop了,或者你要將連線一直重置就設定為 action-reset。
toclientonly只對 gateway後面的作 drop,而 toserveronly則只對 gateway,而 toclientonly與 toserveronly都不用,則雙方應該是都作 drop。
[4.] 下載 eicar測試
wget http://www.eicar.org/download/eicar.com
病毒
http://www.gfos.hr/~dragovic/nest/
[5.] log記錄訊息
[**] [122:1:1] (spp_clamav) Virus Found: Eicar-Test-Signature [**]
12/09-11:18:40.345607 81.3.3.133:80 -> 10.10.1.100:44902
TCP TTL:50 TOS:0x0 ID:2639 IpLen:20 DgmLen:478 DF
***AP*** Seq: 0x7A232F0D Ack: 0x462705E2 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 63382852 259450410
重要引用:
From: Will Metcalf <william@gm…>
Eicar and ClamAV
2005-03-12 14:47
It seems as if the clam guy"s updated the signature database with a new definition for Eicar, and it is no longer detected in the same manner. I was wrong, about Clam being broken as it still seems to pick-up other virii ok. In addition, it appears as if Victor thinks
he has figured out a way to scan file descriptors via writing packet contents to tmp files. We actually should be able to detect more virii using this method.
Regards,
Will
Clamav官方改變了定義,所以測試eicar.com病毒,是失敗的
不過在2006/04/22測試新版的Snort-Inline時,clamav已working
註: 2006/04/22
clamav配合 preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
的時後,一開始的連線是被drop的沒錯,不過要等3000秒後,對目的端的全部連線才能再次溝通。
留言