[Snort-devel] Re: Snort 2.3.3 and ClamAV.

Will Metcalf william.metcalf at ...2499...
Wed May 11 21:41:48 EDT 2005


Make sure that you initialize the ClamAV preprocessor after stream4
and before http_inspect in your snort.conf. The http_inspect preproc
toy's with p->dsize which is bad for Clam.  If you are using Eicar it
will not work because the clam group recently rewrote the signature to
scan for the eicar sig at the beginning of the file/buffer/fd. 
Problem we run into is with all of the http protocol crap.  Victor and
I were talking about writing a protocol dissector to strip that stuff
out.

Regards,

Will

On 5/9/05, Chris Keladis <chris at ...2315...> wrote:
> Hi William, All,
> 
> Toying around with Snort v2.3.3 and ClamAV from bleedingsnort.com.
> 
> I've got things working, and with a debug build of Snort i can see
> ClamAV scanning packets, it's just every packet comes up clean.
> 
> Even when fetching known malware that clamscan on the same box
> recognizes, using the same DB files.
> 
> Tried using both file-descriptor-mode and without.
> 
> Does Snort+ClamAV put the streams back together to scan? Looking at the
> debug output leads me to beleive it scans "packets" opposed to "streams"
>   but that's just a guess.
> 
> I'm just wondering if by presenting fragments of the malware to the
> cl_scan* functions it doesn't fully match?
> 
> Anyone have similar experiences?
> 
> Cheers,
> 
> Chris.
>




More information about the Snort-devel mailing list