Snort mailing list archives
Re: ClamAV preprocessor
From: William Metcalf <William_Metcalf () kcmo org>
Date: Tue, 24 Aug 2004 08:45:34 -0500
http://sourceforge.net/tracker/index.php?func=detail&aid=1011054&group_id=78497&atid=553469 "Sam Evans" <sam () neuroflux co m> To "Victor Julien" <victor () nk nl> 08/24/2004 08:46 cc AM "Jason Haar" <jason.haar () trimble co nz>, snort-users () lists sourceforge net, "William Metcalf" <william_metcalf () kcmo org> Subject Re: [Snort-users] ClamAV preprocessor Wow, this sounds really cool! I didn't see a download link, but we could offer up some of our sensors and heavy network traffic for testing. -Sam Victor Julien said:
Hi Jason, On Tuesday 24 August 2004 02:53, Jason Haar wrote:On Tue, Aug 17, 2004 at 11:09:14PM -0500, William Metcalf wrote:I know that some of folks don't think that doing virus detection with and IDS is a good idea, but Victor Julien and I have developed a preprocessor that can detect virus activity in network traffic, usingaclamav c function and the clamav virus database. On to the preproc,youcan enableWow - freaky!:-)Have you got any stats on how such a preprocessor affects Snort? e.g. how much more CPU/memory load, FP rates, etc.No, although with no hard data i can say the load seems to be ok.As far as FP rates go, I mean as it's "just" an AV preprocessor (now there's an understatement!), I assume it isn't also a SMB preprocessor - so it isn't translating raw network data back into files before letting ClamAV loose on itYou are correct.- so the chances for FP must be higher due to that.Well, maybe you are right, but i'm running it for a few weeks now, and haven't seen any fp. But this is one thing we need to find out by heavy testing :-). Regards, Victor ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Good Snort Signatures, (continued)
- Good Snort Signatures Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures sekure (Aug 24)
- Re: Good Snort Signatures Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
- Re: Good Snort Signatures James Riden (Aug 24)
- RE: Good Snort Signatures Patrick S. Harper (Aug 24)
- RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
- RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
- Re: ClamAV preprocessor William Metcalf (Aug 27)