[Snort-devel] Re: ClamAV preprocessor patch against snort-2.2.0

Victor Julien victor at ...2603...
Wed Aug 18 01:05:07 EDT 2004


Hi Stephan,

Stephan wrote:
> Nice patch but I have the problem that it scans the packets for virus and
> not the reassembled stream. Is there any special configuration needed?

After some testing i found you are right. I think i found the problem:

In my setup there seem to be two things:

1. the clamav preproc needs to be directly after the stream4_reassemble 
preproc in the snort.conf file

2. also in the stream4_reassemble: try to use 'both'. In my setup the 
uber-packets contained no data otherwise.

Also be sure to read the README.clamav for known limitations...

> 
> In my configuration it find only virus that are in the size of a packet
> like the Eicar-Test-Virus.

I just tested with the options as above, and it detects virussus like 
Sircam and Badtrans (thus bigger than eicar) and also detects in 
uber-packets...

We'll add this to the documentation!

Can you let us know if it worked?

Regards,
Victor




More information about the Snort-devel mailing list