virus scanning with iptables

virus scanning with iptables

[Khanh Tran]

Is any using a virus scanning application with iptables?  I'd like to
know if it's possible for me to detect viruses that go across my
iptables firewalls.

Thanks...

Khanh Tran
Network Operations
Sarah Lawrence College

RE: virus scanning with iptables

[Daniel Chemko]

Khanh Tran wrote:
> Is any using a virus scanning application with iptables?  I'd like to
> know if it's possible for me to detect viruses that go across my
> iptables firewalls.

There isn't currently a tool to perform Virus scanning of iptables data.
The closest match would be snort-inline which can locate some virus
signatures. Inline scanning of anything can have averse effects on the
transmission. You'll quickly find that detailed scans require a lot of
CPU usage. Just for monitoring network thoughtput with ntop, I'd max out
my P4 CPU when backups kicked off.

The better approach would be to implement transparent proxies of
pertinent services like SMTP and use virus scanning addons. for them.
You may also look at the 'l7-filter' project or the 'string' extension
to see if their implementation suits your needs.

RE: virus scanning with iptables

[Khanh Tran]

How about port scanning clients behind from the firewall?  Suggestions?
I'm thinking of something that could be scripted to append an iptables
rule to block the MAC address of the offending client, then notify me.
Am I looking at an NMAP plugin possibly?


Khanh Tran
Network Operations
Sarah Lawrence College


-----Original Message-----
From: Daniel Chemko [mailto:dchemko@smgtec.com] 
Sent: Thursday, September 09, 2004 7:27 PM
To: Khanh Tran; netfilter@lists.netfilter.org
Subject: RE: virus scanning with iptables

Khanh Tran wrote:
> Is any using a virus scanning application with iptables?  I'd like to 
> know if it's possible for me to detect viruses that go across my 
> iptables firewalls.

There isn't currently a tool to perform Virus scanning of iptables data.
The closest match would be snort-inline which can locate some virus
signatures. Inline scanning of anything can have averse effects on the
transmission. You'll quickly find that detailed scans require a lot of
CPU usage. Just for monitoring network thoughtput with ntop, I'd max out
my P4 CPU when backups kicked off.

The better approach would be to implement transparent proxies of
pertinent services like SMTP and use virus scanning addons. for them.
You may also look at the 'l7-filter' project or the 'string' extension
to see if their implementation suits your needs.

Re: virus scanning with iptables

[Victor Julien]

On Friday 10 September 2004 01:26, Daniel Chemko wrote:
> Khanh Tran wrote:
> > Is any using a virus scanning application with iptables?  I'd like to
> > know if it's possible for me to detect viruses that go across my
> > iptables firewalls.
>
> There isn't currently a tool to perform Virus scanning of iptables data.
> The closest match would be snort-inline which can locate some virus
> signatures. Inline scanning of anything can have averse effects on the
> transmission. You'll quickly find that detailed scans require a lot of
> CPU usage. Just for monitoring network thoughtput with ntop, I'd max out
> my P4 CPU when backups kicked off.

We have developed a virusscanning preprocessor for Snort-inline about one 
month ago. It will be in the upcoming Snort-inline 2.2.0 rc1 due to be 
released this weekend (a patch for Snort-inline 2.1.3 is available at the 
project site). 

The ClamAV plugin scans the raw networkdata, an we have been successfully 
detecting viruses in http, smtp, pop3, msn, imap, etc. Note however, that 
scanning the raw data means we don't detect viruses in archives.

The cpu-load of the plugin seems to be ok...

>
> The better approach would be to implement transparent proxies of
> pertinent services like SMTP and use virus scanning addons. for them.

I agree with Daniel here, especially for stmp. For other stuff you can try the 
above solution!

Regards,
Victor

Re: virus scanning with iptables

[Stephen J Smoogen]

Khanh Tran wrote:
> How about port scanning clients behind from the firewall?  Suggestions?
> I'm thinking of something that could be scripted to append an iptables
> rule to block the MAC address of the offending client, then notify me.
> Am I looking at an NMAP plugin possibly?
> 

You would probably want to have something like SNORT tied into iptables. 
  Have something like SNORT look for certain alerts and then when it 
finds them it sends a 'signal' to a daemon on the firewall that inserts 
a DROP rule for that IP address in a 'dynamic chain'.

-- 
Stephen John Smoogen	        | CCN-5 Security Team
LANL SIRT Team Leader           | SMTP:  smoogen@lanl.gov
Los Alamos National Laboratory  | Voice: 505.664.0645
Ta-03 SM-1498 MS: B255 DP 10S   | FAX:   505.665.7793
Los Alamos, NM 87545            |

Re: virus scanning with iptables

[Stephen J Smoogen]

rruegner wrote:
> Hi,
> better way would be to use apache2 , mod_clamd, and squid / frox
> or use dansgurdian, or some comercial Produkt
> This would do the job for http/ftp...clamd also works with amavis-new
> for antispam and antivirus to smtp.
> Regards
> Stephen J Smoogen schrieb:
> 

I was looking at a more general solution for scans and non webbased 
worms. The largest traffic I see dropped is 135:139, 445 traffic. 
Getting those boxes off the network as quickly as possible is a big win.

For email based viruses I have been using a combo of clamd/mimedefang on 
  some sites. The larger site is using some other method.

>> Khanh Tran wrote:
>>
>>> How about port scanning clients behind from the firewall?  Suggestions?
>>> I'm thinking of something that could be scripted to append an iptables
>>> rule to block the MAC address of the offending client, then notify me.
>>> Am I looking at an NMAP plugin possibly?
>>>
>>
>> You would probably want to have something like SNORT tied into 
>> iptables.  Have something like SNORT look for certain alerts and then 
>> when it finds them it sends a 'signal' to a daemon on the firewall 
>> that inserts a DROP rule for that IP address in a 'dynamic chain'.
>>


-- 
Stephen John Smoogen	        | CCN-5 Security Team
LANL SIRT Team Leader           | SMTP:  smoogen@lanl.gov
Los Alamos National Laboratory  | Voice: 505.664.0645
Ta-03 SM-1498 MS: B255 DP 10S   | FAX:   505.665.7793
Los Alamos, NM 87545            |

Re: virus scanning with iptables

[rruegner]

Hi,
better way would be to use apache2 , mod_clamd, and squid / frox
or use dansgurdian, or some comercial Produkt
This would do the job for http/ftp...clamd also works with amavis-new
for antispam and antivirus to smtp.
Regards
Stephen J Smoogen schrieb:
> Khanh Tran wrote:
> 
>> How about port scanning clients behind from the firewall?  Suggestions?
>> I'm thinking of something that could be scripted to append an iptables
>> rule to block the MAC address of the offending client, then notify me.
>> Am I looking at an NMAP plugin possibly?
>>
> 
> You would probably want to have something like SNORT tied into iptables. 
>  Have something like SNORT look for certain alerts and then when it 
> finds them it sends a 'signal' to a daemon on the firewall that inserts 
> a DROP rule for that IP address in a 'dynamic chain'.
> 

RE: virus scanning with iptables

[Jose Maria Lopez]

El vie, 10 de 09 de 2004 a las 02:36, Khanh Tran escribió:
> How about port scanning clients behind from the firewall?  Suggestions?
> I'm thinking of something that could be scripted to append an iptables
> rule to block the MAC address of the offending client, then notify me.
> Am I looking at an NMAP plugin possibly?
> 
> 
> Khanh Tran
> Network Operations
> Sarah Lawrence College

You can look at snort+guardian to make this kind of rules, but
have in mind that are easy to bypass and also there's a real
danger of having a DOS if you don't have a list of IPs you never
want to block, as your DNS server, your own machines and so.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"