Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ClamAV preprocessor

From: William Metcalf <William_Metcalf () kcmo org>
Date: Tue, 24 Aug 2004 08:45:34 -0500





http://sourceforge.net/tracker/index.php?func=detail&aid=1011054&group_id=78497&atid=553469


                                                                       
             "Sam Evans"                                               
             <sam () neuroflux co                                         
             m>                                                         To
                                       "Victor Julien" <victor () nk nl>  
             08/24/2004 08:46                                           cc
             AM                        "Jason Haar"                    
                                       <jason.haar () trimble co nz>,     
                                       snort-users () lists sourceforge net,
                                       "William Metcalf"               
                                       <william_metcalf () kcmo org>      
                                                                   Subject
                                       Re: [Snort-users] ClamAV        
                                       preprocessor                    
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       




Wow, this sounds really cool!  I didn't see a download link, but we could
offer up some of our sensors and heavy network traffic for testing.

-Sam


Victor Julien said:

Hi Jason,

On Tuesday 24 August 2004 02:53, Jason Haar wrote:

On Tue, Aug 17, 2004 at 11:09:14PM -0500, William Metcalf wrote:

 I know that some of folks don't think that doing virus detection with
and IDS is a good idea, but Victor Julien and I have developed a
preprocessor that can detect virus activity in network traffic, using

a

clamav c function and the clamav virus database.  On to the preproc,

you

can enable


Wow - freaky!


:-)



Have you got any stats on how such a preprocessor affects Snort?

e.g. how much more CPU/memory load, FP rates, etc.



No, although with no hard data i can say the load seems to be ok.


As far as FP rates go, I mean as it's "just" an AV preprocessor (now
there's an understatement!), I assume it isn't also a SMB preprocessor -
so
it isn't translating raw network data back into files before letting
ClamAV
loose on it


You are correct.


- so the chances for FP must be higher due to that.


Well, maybe you are right, but i'm running it for a few weeks now, and
haven't
seen any fp. But this is one thing we need to find out by heavy testing
:-).

Regards,
Victor


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Previous By Date Next
Previous By Thread Next

Current thread: