Snort mailing list archives
Re: Issue with ClamAV preprocessor in snort-2.3.3
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 11 May 2005 15:57:04 -0500
Jason, Eicar won't be detected because the ClamAV guy's wrote the sig so that if the string wasn't in the first part of the file/file descriptor/buffer being scanned it wouldn't fire. I think they did this so that if you were writing a Document that contained the Eicar string it wouldn't be marked as viri. Try to transmit Eicar via ftp and see what happens ;-). As far as klez goes, it is important to initialize clamav after stream4 and before http_inspect. Once again folks this preproc isn't perfect, we are looking at fragments of files not the whole thing, it is not intended to be a replacement for a AV scanner at your mail gateways or proxy servers. Regards, Will On 5/11/05, Jason Haar <Jason.Haar () trimble co nz> wrote:
Hi there I have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't seem to work as advertised. I have the following preprocessor line preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir /var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200, file-descriptor-mode I strace'd snort while downloading EICAR.COM <http://EICAR.COM> and the klez virus from a remote HTTP server - the strace shows the daily.* files being loaded - which tells me ClamAV is being enabled - but nothing got detected. I even ran tcpdump on the same interface and can see the HTTP download - so it's definitely not a wiring issue either. I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created, opened,closed and unlinked - but no virus was detected. The summary that is outputted when snort exits shows zero alerts - and nothing shows up via the syslog or mysql output processors I use. Any ideas? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net <http://SF.Net> email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Victor Julien (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Will Metcalf (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 12)