[Snort-devel] Snort ClamAV Plugin

Victor Julien victor at ...2603...
Sat Jul 29 12:20:06 EDT 2006

Rajkumar S. wrote:
> Hi,
> At Bleeding edge, there is a Snort ClamAV plugin, which is pretty  
> impressive, but what happens if the virus signatures fall across 2  
> packets? Is there any machinism that is available in the frame work  
> which I can use to queue up the packets in a queue so that signatures  
> across packets can also be caught?

Yes, if you enable stream4+stream4_reassemble and put the clamav config 
underneath that config, clamav will scan the reassembled stream as well.

> In the flow plugin docs it says "many of the stateful subsystems of  
> Snort will be migrated over to becoming flow plugins." but there are  
> not much docs about using flow plugin from the pov of a preprocessor  
> author. Can I use flow to get last n packets seen in a particular  
> connection?

I don't think so, not sure though.

> Also is it possible to call some post detection rule actions from  
> preprocessor. To be more precise, is it possible to call flexresp from  
> clamav preprocessor so that I can close the connection if a virus is  
> detected?

ClamAV implements the reset response, but i think it only works when 
running in inline mode... it's not possible to use the flexresp2 actions 
for that.


> Any hints of general directions to my above questions will be much  
> appreciated,
> with warm regards,
> raj
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list