[Snort-devel] Re: ClamAV preprocessor patch against snort-2.2.0

Victor Julien victor at ...2603...
Wed Aug 18 01:05:07 EDT 2004

Hi Stephan,

Stephan wrote:
> Nice patch but I have the problem that it scans the packets for virus and
> not the reassembled stream. Is there any special configuration needed?

After some testing i found you are right. I think i found the problem:

In my setup there seem to be two things:

1. the clamav preproc needs to be directly after the stream4_reassemble 
preproc in the snort.conf file

2. also in the stream4_reassemble: try to use 'both'. In my setup the 
uber-packets contained no data otherwise.

Also be sure to read the README.clamav for known limitations...

> In my configuration it find only virus that are in the size of a packet
> like the Eicar-Test-Virus.

I just tested with the options as above, and it detects virussus like 
Sircam and Badtrans (thus bigger than eicar) and also detects in 

We'll add this to the documentation!

Can you let us know if it worked?


More information about the Snort-devel mailing list