[Snort-devel] Snort 2.3.3 and ClamAV.

Chris Keladis chris at ...2315...
Mon May 9 03:09:29 EDT 2005


Hi William, All,

Toying around with Snort v2.3.3 and ClamAV from bleedingsnort.com.

I've got things working, and with a debug build of Snort i can see 
ClamAV scanning packets, it's just every packet comes up clean.

Even when fetching known malware that clamscan on the same box 
recognizes, using the same DB files.

Tried using both file-descriptor-mode and without.

Does Snort+ClamAV put the streams back together to scan? Looking at the 
debug output leads me to beleive it scans "packets" opposed to "streams" 
  but that's just a guess.

I'm just wondering if by presenting fragments of the malware to the 
cl_scan* functions it doesn't fully match?

Anyone have similar experiences?




Cheers,

Chris.




More information about the Snort-devel mailing list