![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: deploying ClamAV with Snort IDS
From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 1 Feb 2010 14:01:18 -0600
Hmmm I thought HAVP did support ftp when placed inside of a squid sandwhich, although maybe this is incorrect. Regards, Will On Mon, Feb 1, 2010 at 1:48 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
On 02/02/2010 06:46 AM, Will Metcalf wrote:If you are interested in stopping viruses in http/ftp traffic with ClamAV I suggest you have a look at HAVP. They do this better than we did, the problem being that ClamAV expects a file so unless you do some serious work writing protocol dissectors to hand it something in a format it expects, most of the time it will only find viruses in protocols where the file starts at the beginning of the payload i.e. (no application headers present). We add some rudimentary support for http but HAVP is way more robust.havp is great. If you have squid inline (ie the squid server is the router) or transparently inline (ie you configure your default route to redirect port 80 traffic to your proxy) then it equates to inline snort + AV for HTTP. (btw, havp does NOT support FTP - nor HTTPS - but the latter should be obvious). Also, it supports many AVs - not just clamAV -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- deploying ClamAV with Snort IDS Alan Brennan (Feb 01)
- Re: deploying ClamAV with Snort IDS Will Metcalf (Feb 01)
- Re: deploying ClamAV with Snort IDS Randal T. Rioux (Feb 01)
- Re: deploying ClamAV with Snort IDS Jason Haar (Feb 01)
- Re: deploying ClamAV with Snort IDS Will Metcalf (Feb 01)
- Re: deploying ClamAV with Snort IDS Will Metcalf (Feb 01)