Re: Integrating ClamAv into Snort

[Joel Esler <jesler () sourcefire com>]

Thank you (someone, I think it was Shawn) for recommending Razorback.

This is exactly one of the millions of reasons that Razorback was designed.  Analyzing files in realtime is just not 
always feasible.  Hence why Razorback was invented.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 12, 2013, at 3:46 PM, Ayodele Okeowo <aymacro () gmail com> wrote:

> Thanks Jeremy and it's nice to know about the status of the tool. I'll play with it this week and see its 
> awesomeness. And I will check out the RazorBack tonight though and go through the documentation.
>
> Thanks guys for the inputs. 
> Ayo
>
>
> On Tue, Feb 12, 2013 at 3:33 PM, Jeremy Hoel <jthoel () gmail com> wrote:
> It seems the development for OpenFPC has stalled.. there hasn't been a
> lot of movement with it.  That being said, when it works and the queue
> agent is listening, it's awesome.
>
> On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro () gmail com> wrote:
> > Thanks Shawn. While I was waiting for the reply, I went through their sites
> > and they both look interesting. However, I've been hearing about OpenFPC
> > maybe it's something I will look into. Hopefully RazorBack will have full
> > documentation on how to integrate it into Snort.
> >
> > I really appreciate your response and showing me some new stuff I've never
> > heard of today. A new learning curve.
> >
> > Ayo
> >
> >
> > On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
> > <Shawn.Jefferson () bcferries com> wrote:
> > > There are websites for both products that are very easy to find.
> > >
> > >
> > >
> > > Basically, both products are essentially monitoring systems that can carve
> > > out specific things from your network streams, like downloaded files, and
> > > these can then be run through ClamAV or other executable checking tools.
> > > Personally, I don’t use them, but I carve out specific files that were
> > > alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze these on
> > > a case by case basis.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Ayodele Okeowo [mailto:aymacro () gmail com]
> > > Sent: Tuesday, February 12, 2013 10:42 AM
> > > To: Jefferson, Shawn
> > > Cc: wkitty42 () windstream net; snort-users () lists sourceforge net
> > >
> > >
> > > Subject: Re: [Snort-users] Integrating ClamAv into Snort
> > >
> > >
> > >
> > > Sorry I meant Shawn.
> > >
> > > > >
> > > I'm looking up the tools but I'm trying to understand what they do;
> > > although I have a little idea but there seems to be no place on what it is,
> > > what's used for and the purpose of the tools.
> > >
> > > Any intake on that?
> > >
> > > Ayo
> > >
> > >
> > >
> > > On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
> > > <Shawn.Jefferson () bcferries com> wrote:
> > >
> > > What you are looking for is something like RazorBack, or possibly BroIDS.
> > >
> > >
> > > -----Original Message-----
> > > From: waldo kitty [mailto:wkitty42 () windstream net]
> > > Sent: Tuesday, February 12, 2013 10:01 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Integrating ClamAv into Snort
> > >
> > > On 2/12/2013 11:48, Ayodele Okeowo wrote:
> > > > folks,
> > > >
> > > > Has anyone successfully integrated or used ClamAv with Snort? if, Yes,
> > > > please could you share how and what documentation to read to be able to
> > > > implement this?
> > >
> > > for what reason? if you are thinking about scanning files that users
> > > transfer, then you want to include additional packages along side of your
> > > snort... these would perform full packet capture and then offer slicing out
> > > the files for analysis...
> > >
> > > snort needs to sniff and sniff only... it doesn't need to worry about
> > > things like scanning for viruses or even trying to log to a database...
> > > these things slow snort down and traffic is lost or otherwise not
> > > analyzed... that's not a GoodThing<tm>... leave these tasks to other apps to
> > > handle ;)
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Free Next-Gen Firewall Hardware Offer
> > > Buy your Sophos next-gen firewall before the end March 2013 and get the
> > > hardware for free! Learn more.
> > > http://p.sf.net/sfu/sophos-d2d-feb
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort
> > > news!
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Free Next-Gen Firewall Hardware Offer
> > > Buy your Sophos next-gen firewall before the end March 2013
> > > and get the hardware for free! Learn more.
> > > http://p.sf.net/sfu/sophos-d2d-feb
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort
> > > news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Free Next-Gen Firewall Hardware Offer
> > Buy your Sophos next-gen firewall before the end March 2013
> > and get the hardware for free! Learn more.
> > http://p.sf.net/sfu/sophos-d2d-feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!