Re: Building snort-inline from CVS

[Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>]

Will Metcalf wrote:
> I will see if I can find some time to fix in the next couple of days.
> Although I have said it before and I will say it again,  the clamav
> preproc was experimental, and after some experimentation we found that
> really doesn't work that well because clamav is expecting to scan a
> file, not a packet payload with headers/protocol data. 

I played with tcpxtract a while back:
http://www.gamelinux.org/?p=22

The idea was to have tcpxtract carve out files, and have clamav scan
them. tcpxtract segfaultet after a while, so I haven't looked into it
lately.

For programmers, there might be something to learn from:
http://tcpxtract.sourceforge.net/
in order to pass files and not packets to clamav ?

e

 Not only that
> but you have problems with anything bigger than 65k bytes etc.  for
> the clamav preproc to be effective a lot of work would have go into
> writing protocol decoders which neither Victor or I have the cycles
> for.  If you want AV protection in http I suggest that you look at
> HAVP it works quite well.  http://www.server-side.de/
>
> Regards,
>
> Will

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users