[Snort-devel] Snort 2.3.3 and ClamAV.
chris at ...2315...
Mon May 9 03:09:29 EDT 2005
Hi William, All,
Toying around with Snort v2.3.3 and ClamAV from bleedingsnort.com.
I've got things working, and with a debug build of Snort i can see
ClamAV scanning packets, it's just every packet comes up clean.
Even when fetching known malware that clamscan on the same box
recognizes, using the same DB files.
Tried using both file-descriptor-mode and without.
Does Snort+ClamAV put the streams back together to scan? Looking at the
debug output leads me to beleive it scans "packets" opposed to "streams"
but that's just a guess.
I'm just wondering if by presenting fragments of the malware to the
cl_scan* functions it doesn't fully match?
Anyone have similar experiences?
More information about the Snort-devel