Issue with ClamAV preprocessor in snort-2.3.3

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

I have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't 
seem to work as advertised. I have the following preprocessor line

preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir 
/var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200, 
file-descriptor-mode

I strace'd snort while downloading EICAR.COM and the klez virus from a 
remote HTTP server - the strace shows the daily.* files being loaded - 
which tells me ClamAV is being enabled - but nothing got detected. I 
even ran tcpdump on the same interface and can see the HTTP download - 
so it's definitely  not a wiring issue either.

I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created, 
opened,closed and unlinked - but no virus was detected. The summary that 
is outputted when snort exits shows zero alerts - and nothing shows up 
via the syslog or mysql output processors I use.

Any ideas? Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users