Re: [Snort-users] Blocking virus with snort inline 2.6.1.5

From: Will Metcalf <william.metcalf(at)gmail.com>
Date: Sat Sep 22 2007 - 18:57:53 EDT

What about your RELATED,ESTABLISHED traffic, doesn't that need to be sent to the QUEUE as well?

Regards,

Will

On 9/22/07, carlopmart <carlopmart@gmail.com> wrote:
> Hi all,
>
> After setting up and solve my problems (thanks to all) with snort
> inline version 2.6.1.5, I will try to do some tests for block virus
> across http service.
>
> I put this line on snort.conf:
>
> preprocessor clamav: ports all !22 !443, toclientonly, action-drop,
> dbdir /var/clamav, dbreload-time 43200
>
> before preprocessor http_inspect. My iptables rule to pass control to
> snort inline is:
>
> iptables -A FORWARD -i br0 -p 0 -m state --state NEW -j QUEUE
>
> I have try to block eicar virus
> (http://www.eicar.org/download/eicar.com) without luck.
>
> What am I doing wrong???
>
> Many thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

---

This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sat Sep 22 18:58:40 2007