[Snort-users] Anti Virus on Linux?
mkettler at ...4108...
Mon Jan 27 12:06:12 EST 2003
Well there's no good reason to run a AV product on a Linux snort box,
since all of the virus scanners that run on Linux, focus on use in
detecting windows viruses as they pass through your server.
With a Linux snort box I'd be more worried about intrusion prevention than
viruses. (ie: lock your box down, use grsecurity's kernel patch with a true
non executable stack and ACLs, shut down services you don't absolutely
need, disable loadable module support in the kernel, etc etc).
Most linux "virus" infections are actually worms that penetrate the server
via bind, sendmail or Apache bugs and usually ones that have been fixed for
at least a month. Thus a well secured system which is properly patched and
maintained will have a very low infection rate.
As far as detecting an infection, Tripwire type systems, if carefully
implemented so that nobody can simply replace the Tripwire database or
program, go a long way as far as detecting anomalies in the system,
including both hackers and worms. This will probably do a better job than
any virus-signature based scan of the system can do. (personally I prefer
to use Aide coupled with GPG, both binaries statically linked and mounted
on a write protected media like a CDR along with the gpg keyring, and use
GPG to sign my aide database. It's not perfect, but having a sealed kernel
with unwritable /dev/kmem and no loadable module support makes most attacks
on this setup, such as syscall interception, very difficult.).
If you still want a virus scanner which runs on Linux here's a few I can
think of, based on some research I did when setting up a MTA side email
virus scanner on a Linux box:
Sophos - this is a pricey option, but their virus def files are updated at
a very impressive rate relative to when new viruses hit the net.
fprot by frisk software - there's a "small business" which is a
command-line scanner, and an "enterprise" version which stays memory
resident. The small-business version is quite reasonably price (aprox $500)
if I remember right.
CommandAV, fsecure - these are more or less resellers of the f-prot engine
with their own front ends.
There are some others out there that make linux versions too that I've not
tinkered with. Kapersky, McAfee. There's probably others too.
ClamAV is a 100% free open-source product, but def file updates are a bit
slower due to volunteer basis of work.
At 12:32 PM 1/27/2003 -0600, Bob McDowell wrote:
>This isn't exactly confined to snort, but what do you guys run for
>AntiVirus on your Linux-based snort boxes? I understand that there are
>some 'free for non-commercial use' options out there, but I'm looking for
>a good commercial product - if there is one. If not, anything is better
>than nothing. Isn't it? Unless of course there is some reason not to run
>AV on a snort box...
More information about the Snort-users