[Snort-devel] Re: ClamAV preprocessor patch against snort-2.2.0
victor at ...2603...
Wed Aug 18 01:05:07 EDT 2004
> Nice patch but I have the problem that it scans the packets for virus and
> not the reassembled stream. Is there any special configuration needed?
After some testing i found you are right. I think i found the problem:
In my setup there seem to be two things:
1. the clamav preproc needs to be directly after the stream4_reassemble
preproc in the snort.conf file
2. also in the stream4_reassemble: try to use 'both'. In my setup the
uber-packets contained no data otherwise.
Also be sure to read the README.clamav for known limitations...
> In my configuration it find only virus that are in the size of a packet
> like the Eicar-Test-Virus.
I just tested with the options as above, and it detects virussus like
Sircam and Badtrans (thus bigger than eicar) and also detects in
We'll add this to the documentation!
Can you let us know if it worked?
More information about the Snort-devel