snort + squid + clamAV



  • Hi guys,
    I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

    alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)
    

    and in my squid config i have this as redirect page whenever virus is detected:
    http://192.168.1.1:8081/squid_clwarn.php?url=
    (notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

    So, in my system log I get this message when a virus is found:

    Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081
    

    I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
    the whole URL snort redirect a user to look like this:

    http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream: Eicar-Test-Signature FOUND

    so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

    Is that possible?

    Thanks,


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy