Re: Issue with ClamAV preprocessor in snort-2.3.3

[Victor Julien <victor () nk nl>]

Jason Haar wrote:
> Hi there
>
> I have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't
> seem to work as advertised. I have the following preprocessor line
>
> preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir
> /var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200,
> file-descriptor-mode
>
> I strace'd snort while downloading EICAR.COM and the klez virus from a
> remote HTTP server - the strace shows the daily.* files being loaded -
> which tells me ClamAV is being enabled - but nothing got detected. I
> even ran tcpdump on the same interface and can see the HTTP download -
> so it's definitely  not a wiring issue either.
>
> I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created,
> opened,closed and unlinked - but no virus was detected. The summary that
> is outputted when snort exits shows zero alerts - and nothing shows up
> via the syslog or mysql output processors I use.
>
> Any ideas? Thanks!

Yes, the clamav signature expects the eicar string to be at the start of
the buffer, which is not the case for the clamav preprocessor since
there is http stuff in it as well. This is caused by the fact that the
clamav preprocessor does not do any protocol parsing (this would be a
great feature, maybe in combination with http_inspect. If anyone is
interested in implementing such a thing...).

Regards,
Victor


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users