Snort mailing list archives
ClamAV preprocessor
From: William Metcalf <William_Metcalf () kcmo org>
Date: Tue, 17 Aug 2004 23:09:14 -0500
List, I know that some of folks don't think that doing virus detection with and IDS is a good idea, but Victor Julien and I have developed a preprocessor that can detect virus activity in network traffic, using a clamav c function and the clamav virus database. On to the preproc, you can enable the ClamAV preprocessor by running ./configure --enable-clamav. You can specify the include directory by doing ./configure --enable-clamav ---with-clamav-includes=DIR if clamav.h can't be found by the configure or if the dbdir can't be found you may specify with configure by ./configure --enable-clamav --with-clamav-defdir=DIR. You must have clamav and clamav.h available we do not provide it in the patch. Onto the preprocessor configuration options: turn on clamav by going into snort.conf preprocessor clamav This turns on the defaults for clamav which are to listen on ports 21 25 80 81 110 119 139 445 143 uses the default database location of /var/lib/clamav unless another dbdir was specified at ./configure Alerts are written to alert logs. options are preprocessor clamav: ports {portlist separated by " "}, {flow can be toclientonly or toserveronly or defaults to both} {action option is disabled unless running snort_inline in which case we can drop or reject the packet},{dbdir} so preprocessor clamav: ports all !25 !443 !22 will turn on clamav and will listen for virus activity on all ports except 25 443 22 and write to the alert file if a virus is detected. preprocessor clamav: ports 139 445 21, toclientonly, dbdir /var/lib2/clamav will turn on clamav, will listen for virus activity on ports 129 445 21 will only watch traffic that flows to the client, sets the virus-sig database path to /var/lib2/clamav Will try to put together some better documentation...... but either way here is the patch depending on OS some may need to run the following command before running configure otherwise it will not configure properly. libtoolize -f && aclocal && autoheader && automake && autoconf or autoreconf -f Regards, William Metcalf download the patch from: https://sourceforge.net/tracker/?atid=553469&group_id=78497&func=browse
Current thread:
- ClamAV preprocessor William Metcalf (Aug 23)
- Re: ClamAV preprocessor Jason Haar (Aug 23)
- RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)
- Re: ClamAV preprocessor Victor Julien (Aug 24)
- Re: ClamAV preprocessor Sam Evans (Aug 24)
- Snort-addon Advice requested Clayton Mascarenhas (Aug 24)
- Re: Snort-addon Advice requested Michael McDonough (Aug 24)
- Good Snort Signatures Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures sekure (Aug 24)
- Re: Good Snort Signatures Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
- Re: ClamAV preprocessor Jason Haar (Aug 23)