[Snort-devel] Snort ClamAV Plugin

Derek Schuff dschuff at ...2893...
Sat Jul 29 12:21:43 EDT 2006


On Saturday 29 July 2006 12:11 pm, Rajkumar S. wrote:
> Hi,
>
> At Bleeding edge, there is a Snort ClamAV plugin, which is pretty
> impressive, but what happens if the virus signatures fall across 2
> packets? Is there any machinism that is available in the frame work
> which I can use to queue up the packets in a queue so that signatures
> across packets can also be caught?

This is what stream4 is for. If stream4 is enabled, i believe the default 
behavior is basically that all the TCP packets get inspected twice, once by 
themselves and once as part of the stream when it gets flushed and 
reassembled.

>
> In the flow plugin docs it says "many of the stateful subsystems of
> Snort will be migrated over to becoming flow plugins." but there are
> not much docs about using flow plugin from the pov of a preprocessor
> author. Can I use flow to get last n packets seen in a particular
> connection?

I think that particular piece of documentation is quite old. The code, at 
least, is several years old in CVS. In fact, now that stream uses a hash 
table almost exactly like flow's, it wouldnt surprise me if the functionality 
current done in the flow preprocessor (really just flowbits) gets rolled into 
stream5.

>
> Also is it possible to call some post detection rule actions from
> preprocessor. To be more precise, is it possible to call flexresp from
> clamav preprocessor so that I can close the connection if a virus is
> detected?

I think so, although I don't know the specifics of flexresp. But preprocessors 
do alerts (see spp_stream4.c), so I can't see any reason why not flexresp as 
well.

-derek




More information about the Snort-devel mailing list