Snort mailing list archives
Re: Building snort-inline from CVS
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 6 Jul 2009 11:44:25 -0400
Hi Ilo, There are two reasons we don't automatically integrate Snort and ClamAV. One is performance, Clam isn't designed for real-time (high throughput/low latency) operation and it's not designed to operate on streams like you commonly see on networks. Conversely, Snort isn't designed to spool full files to a process like Clam so at best you're only going to get kilobytes of data to work with. I'm not saying it *can't* work (or even that it's not a good idea) but it doesn't work optimally for either engine and there hasn't been the level of demand that has either team thinking that it's a high priority project. Marty On Mon, Jul 6, 2009 at 1:38 AM, Ilo Lorusso<sneak147 () gmail com> wrote:
Its pitty as I think and im sure many others do that this would have been a great idea to implement in large network environments, why don't sourcefire allocate resources to this specific development as they own both projects. Thanks Ilo On Sun, Jul 5, 2009 at 10:17 PM, Will Metcalf<william.metcalf () gmail com> wrote:I will see if I can find some time to fix in the next couple of days. Although I have said it before and I will say it again, the clamav preproc was experimental, and after some experimentation we found that really doesn't work that well because clamav is expecting to scan a file, not a packet payload with headers/protocol data. Not only that but you have problems with anything bigger than 65k bytes etc. for the clamav preproc to be effective a lot of work would have go into writing protocol decoders which neither Victor or I have the cycles for. If you want AV protection in http I suggest that you look at HAVP it works quite well. http://www.server-side.de/ Regards, Will On Sun, Jul 5, 2009 at 1:38 PM, Ilo Lorusso<sneak147 () gmail com> wrote:Hi I just checkout out the latest code from snort-inline trunk and i want to compile it with clamav support. I run autojunk.sh script then compile but then get the following error.. ../../../src/dynamic-plugins/sf_dynamic_plugins.c: In function 'DynamicDropInline': ../../../src/dynamic-plugins/sf_dynamic_plugins.c:1155: warning: implicit declaration of function 'InlineDrop' ../../../src/dynamic-plugins/sf_dynamic_plugins.c: In function 'InitDynamicPreprocessors': ../../../src/dynamic-plugins/sf_dynamic_plugins.c:1243: error: 'InlineMode' undeclared (first use in this function) ../../../src/dynamic-plugins/sf_dynamic_plugins.c:1243: error: (Each undeclared identifier is reported only once ../../../src/dynamic-plugins/sf_dynamic_plugins.c:1243: error: for each function it appears in.) make[4]: *** [sf_dynamic_plugins.o] Error 1 make[4]: Leaving directory `/usr/src/redhat/BUILD/snort-2.8.3/plain/src/dynamic-plugins' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/usr/src/redhat/BUILD/snort-2.8.3/plain/src/dynamic-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/redhat/BUILD/snort-2.8.3/plain/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/redhat/BUILD/snort-2.8.3/ any idea why? or how to fix.. Thanks regards Ilo ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Building snort-inline from CVS Ilo Lorusso (Jul 05)
- Re: Building snort-inline from CVS Will Metcalf (Jul 05)
- Re: Building snort-inline from CVS Joel Esler (Jul 05)
- Re: Building snort-inline from CVS Will Metcalf (Jul 05)
- Re: Building snort-inline from CVS Ilo Lorusso (Jul 05)
- Re: Building snort-inline from CVS Ilo Lorusso (Jul 05)
- Re: Building snort-inline from CVS Martin Roesch (Jul 06)
- Re: Building snort-inline from CVS Ilo Lorusso (Jul 06)
- Re: Building snort-inline from CVS Joel Esler (Jul 05)
- Re: Building snort-inline from CVS Edward Bjarte Fjellskål (Jul 06)
- Re: Building snort-inline from CVS Will Metcalf (Jul 05)