[Snort-devel] Snort 2.3.3 and ClamAV.

Victor Julien victor at ...2603...
Mon May 9 23:35:36 EDT 2005


Chris Keladis wrote:
> Hi William, All,
> 
> Toying around with Snort v2.3.3 and ClamAV from bleedingsnort.com.
> 
> I've got things working, and with a debug build of Snort i can see
> ClamAV scanning packets, it's just every packet comes up clean.
> 
> Even when fetching known malware that clamscan on the same box
> recognizes, using the same DB files.
> 
> Tried using both file-descriptor-mode and without.
> 
> Does Snort+ClamAV put the streams back together to scan? Looking at the
> debug output leads me to beleive it scans "packets" opposed to "streams"
>  but that's just a guess.

If you put the clamav preprocessor config in the snort.conf file after
stream4 and stream4_reassemble, the reassembled stream is also scanned.

> I'm just wondering if by presenting fragments of the malware to the
> cl_scan* functions it doesn't fully match?

In my experience, the cl_clam* functions can still detect viruses in the
fragments. Note however that due to the nature of the scanner, we scan
only raw and incomplete data. So there is no mime decoding, unzipping,
or any other preprocessing of the data. Still, i can catch (and block in
inline mode) viruses in Msn, Smb, Imap, Pop3, Ftp, Http. Maybe not all
of then, but i see it as an extra layer of protection. An addition to
the antivirus rules.

We have had a problem before with the clamav preprocessor in the
snort.conf placed after http_inspect. For some reason clamav didn't work
anymore. Can you make sure it is above http_inspect and below
stream4(_reassemble)?

Regards,
Victor





More information about the Snort-devel mailing list