Snort mailing list archives

Re: Issue with ClamAV preprocessor in snort-2.3.3

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 11 May 2005 15:57:04 -0500

Jason,

Eicar won't be detected because the ClamAV guy's wrote the sig so that if 
the string wasn't in the first part of the file/file descriptor/buffer being 
scanned it wouldn't fire. I think they did this so that if you were writing 
a Document that contained the Eicar string it wouldn't be marked as viri. 
Try to transmit Eicar via ftp and see what happens ;-). As far as klez goes, 
it is important to initialize clamav after stream4 and before http_inspect. 
Once again folks this preproc isn't perfect, we are looking at fragments of 
files not the whole thing, it is not intended to be a replacement for a AV 
scanner at your mail gateways or proxy servers. 

Regards,

Will

On 5/11/05, Jason Haar <Jason.Haar () trimble co nz> wrote:


Hi there

I have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't
seem to work as advertised. I have the following preprocessor line

preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir
/var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200,
file-descriptor-mode

I strace'd snort while downloading EICAR.COM <http://EICAR.COM> and the 
klez virus from a
remote HTTP server - the strace shows the daily.* files being loaded -
which tells me ClamAV is being enabled - but nothing got detected. I
even ran tcpdump on the same interface and can see the HTTP download -
so it's definitely not a wiring issue either.

I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created,
opened,closed and unlinked - but no virus was detected. The summary that
is outputted when snort exits shows zero alerts - and nothing shows up
via the syslog or mysql output processors I use.

Any ideas? Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------
This SF.Net <http://SF.Net> email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Victor Julien (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Will Metcalf (May 11)
  - Re: Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 12)