Snort mailing list archives
Issue with ClamAV preprocessor in snort-2.3.3
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 12 May 2005 08:29:49 +1200
Hi thereI have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't seem to work as advertised. I have the following preprocessor line
preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir /var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200, file-descriptor-mode
I strace'd snort while downloading EICAR.COM and the klez virus from a remote HTTP server - the strace shows the daily.* files being loaded - which tells me ClamAV is being enabled - but nothing got detected. I even ran tcpdump on the same interface and can see the HTTP download - so it's definitely not a wiring issue either.
I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created, opened,closed and unlinked - but no virus was detected. The summary that is outputted when snort exits shows zero alerts - and nothing shows up via the syslog or mysql output processors I use.
Any ideas? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Victor Julien (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Will Metcalf (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 12)