[Snort-devel] Snort ClamAV Plugin

Rajkumar S. rajkumars at ...2891...
Sat Jul 29 12:11:03 EDT 2006


Hi,

At Bleeding edge, there is a Snort ClamAV plugin, which is pretty  
impressive, but what happens if the virus signatures fall across 2  
packets? Is there any machinism that is available in the frame work  
which I can use to queue up the packets in a queue so that signatures  
across packets can also be caught?

In the flow plugin docs it says "many of the stateful subsystems of  
Snort will be migrated over to becoming flow plugins." but there are  
not much docs about using flow plugin from the pov of a preprocessor  
author. Can I use flow to get last n packets seen in a particular  
connection?

Also is it possible to call some post detection rule actions from  
preprocessor. To be more precise, is it possible to call flexresp from  
clamav preprocessor so that I can close the connection if a virus is  
detected?

Any hints of general directions to my above questions will be much  
appreciated,

with warm regards,

raj





More information about the Snort-devel mailing list