snort + squid + clamAV

IDS/IPS
Log in to reply
  • P

    Hi guys,
    I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

    alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)

    and in my squid config i have this as redirect page whenever virus is detected:
    http://192.168.1.1:8081/squid_clwarn.php?url=
    (notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

    So, in my system log I get this message when a virus is found:

    Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081

    I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
    the whole URL snort redirect a user to look like this:

    http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream: Eicar-Test-Signature FOUND

    so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

    Is that possible?

    Thanks,

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy