4. snort + squid + clamAV

snort + squid + clamAV

  • P

    Hi guys,
    I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

    alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)

    and in my squid config i have this as redirect page whenever virus is detected:
    http://192.168.1.1:8081/squid_clwarn.php?url=
    (notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

    So, in my system log I get this message when a virus is found:

    Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081

    I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
    the whole URL snort redirect a user to look like this:

    http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream: Eicar-Test-Signature FOUND

    so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

    Is that possible?

    Thanks,

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy