snort + squid + clamAV

p3tter

Hi guys,
I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

alert tcp 192.168.1.0/24 any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)

and in my squid config i have this as redirect page whenever virus is detected:
http://192.168.1.1:8081/squid_clwarn.php?url=
(notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

So, in my system log I get this message when a virus is found:

Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} 192.168.1.100:55078 -> 192.168.1.1:8081

I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
the whole URL snort redirect a user to look like this:

http://192.168.1.1:8081/squid_clwarn.php?url=?url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.100&user=-&virus=stream: Eicar-Test-Signature FOUND

so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

Is that possible?

Thanks,