Snort mailing list archives
Re: Issue with ClamAV preprocessor in snort-2.3.3
From: Victor Julien <victor () nk nl>
Date: Wed, 11 May 2005 22:47:32 +0200
Jason Haar wrote:
Hi there I have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't seem to work as advertised. I have the following preprocessor line preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir /var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200, file-descriptor-mode I strace'd snort while downloading EICAR.COM and the klez virus from a remote HTTP server - the strace shows the daily.* files being loaded - which tells me ClamAV is being enabled - but nothing got detected. I even ran tcpdump on the same interface and can see the HTTP download - so it's definitely not a wiring issue either. I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created, opened,closed and unlinked - but no virus was detected. The summary that is outputted when snort exits shows zero alerts - and nothing shows up via the syslog or mysql output processors I use. Any ideas? Thanks!
Yes, the clamav signature expects the eicar string to be at the start of the buffer, which is not the case for the clamav preprocessor since there is http stuff in it as well. This is caused by the fact that the clamav preprocessor does not do any protocol parsing (this would be a great feature, maybe in combination with http_inspect. If anyone is interested in implementing such a thing...). Regards, Victor ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Victor Julien (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Will Metcalf (May 11)
- Re: Issue with ClamAV preprocessor in snort-2.3.3 Jason Haar (May 12)