Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort + squid + clamAV

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 930 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p3tter
      last edited by

      Hi guys,
      I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

      alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)
      

      and in my squid config i have this as redirect page whenever virus is detected:
      http://192.168.1.1:8081/squid_clwarn.php?url=
      (notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

      So, in my system log I get this message when a virus is found:

      Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081
      

      I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
      the whole URL snort redirect a user to look like this:

      http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream:%20Eicar-Test-Signature%20FOUND

      so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

      Is that possible?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.