Re: [Snort-inline-users] [Fwd: Re: Fortinet IDS]

[Victor Julien <victor () nk nl>]

> I am not sure how fortinet does it however I know snort-inline now has a
> clamav preprocessor that will scan for viruses in the traffic and block
> it if discovered. There is no proxy involved and all traffic is scanned
> based on a configuration you define. It is a recent development and sure
> to require beefy hardware but might be worth exploring for the edge
> points that require virus scanning. X-posting to snort-inline if they
> want to chime in.

Thanx Jason. The ClamAV preprocessor does some very basic scanning. It just 
scans the packet payload and some more data in the so called 
'uber-packet' (which is a reassembled stream, so a couple of payloads are 
scanned). It does not do any effort to decode, decrypt, unpack, whatever... 
it just feeds the data it sees to ClamAV. When William Metcalf and myself 
designed it we foremost had in mind to offer somekind of protection against 
some of the browser attacks, msn worms and other client-attacks.

Btw: it also works with plain Snort (ids).

Hope this helps,
Victor


> https://sourceforge.net/tracker/index.php?func=detail&aid=1012679&group_id=
> 78497&atid=553469
>
> Ian Gallagher wrote:
> > I'm almost certain that their products scan transparently.
> >
> >
> > On 14 Oct 2004 13:30:38 -0000, Don Draper <don () draperconsulting com>
> >
> > wrote:
> > > In-Reply-To: <200407270109.i6R19ZZr041277 () mx-out daemonmail net>
> > >
> > > Does anyone know if Fortinet on-board virus scanning uses an SMTP
> > > proxy server? Or is it able to accomplish this transparently by
> > > simply inspecting the packets as most the IDS/IPS do.
> > >
> > > We just purchased a new Proventia M10 from ISS and have discovered
> > > that we cannot use it for Anti-Virus (email) or Anti-Spam due the
> > > ffact that it uses an on-board SMTP proxy server that does not
> > > support SMTP authentication among other issues. The IPS module does
> > > not need the proxy and works fine.  Having on-board virus scanning
> > > at the network edge would be very helpful and Fortinet docs would
> > > make you think it is ALL done with packet inspection and without
> > > any nasty proxies in the middle. Does anyone know how this works?
> > >
> > > TIA,
> > >
> > > Don


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------