[Snort-devel] ClamAV preprocessor patch against snort-2.2.0

William Metcalf William_Metcalf at ...2528...
Sun Aug 15 20:20:05 EDT 2004






Lists,

 I know that some of folks don't think that doing virus detection with and
IDS but Victor Julien and I have developed a preprocessor that can detect
virus activity in network traffic, using a clamav c function and the clamav
virus database.  On to the preproc, you can enable the ClamAV preprocessor
by running ./configure --enable-clamav.  You can specify the include
directory by doing ./configure --enable-clamav ---with-clamav-includes=DIR
if clamav.h can't be found by the configure or if the dbdir can't be found
you may specify with configure by ./configure --enable-clamav
--with-clamav-defdir=DIR.  You must have clamav and clamav.h available we
do not provide it in the patch.

Onto the preprocessor configuration options:

turn on clamav by going into snort.conf

preprocessor clamav

This turns on the defaults for clamav which are to listen on ports 21 25 80
81 110 119 139 445 143
uses the default database location of /var/lib/clamav unless another dbdir
was specified at ./configure
Alerts are written to alert logs.

options are

preprocessor clamav:  ports {portlist separated by " "}, {flow can be
toclientonly or toserveronly or defaults to both} {action option is
disabled unless running snort_inline in which case we can drop or reject
the packet},{dbdir}

so

preprocessor clamav: ports all !25 !443 !22


will turn on clamav and will listen for virus activity on all ports except
25 443 22 and write to the alert file if a virus is detected.


preprocessor clamav: ports 139 445 21, toclientonly, dbdir /var/lib2/clamav

will turn on clamav, will listen for virus activity on ports 129 445 21
will only watch traffic that flows to the client, sets the virus-sig
database path to /var/lib2/clamav


Will try to put together some better documentation...... but either way
here is the patch

depending on OS some may need to run the following command before running
configure otherwise it will not configure properly.

libtoolize -f && aclocal && autoheader && automake && autoconf
or
autoreconf -f

Regards,

William Metcalf

(See attached file: clamav-snortv-2.2.0.diff)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040815/232c3a1e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav-snortv-2.2.0.diff
Type: application/octet-stream
Size: 44547 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040815/232c3a1e/attachment.obj>


More information about the Snort-devel mailing list