snort + squid + clamAV
-
Hi guys,
I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)
and in my squid config i have this as redirect page whenever virus is detected:
http://192.168.1.1:8081/squid_clwarn.php?url=
(notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)So, in my system log I get this message when a virus is found:
Jul 12 18:24:01 snort 90281 [1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081
I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
the whole URL snort redirect a user to look like this:http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream:%20Eicar-Test-Signature%20FOUND
so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...
Is that possible?
Thanks,