[Snort-users] ClamAV preprocessor

William Metcalf William_Metcalf at ...8458...
Fri Aug 27 05:42:45 EDT 2004






http://sourceforge.net/tracker/index.php?func=detail&aid=1011054&group_id=78497&atid=553469


                                                                       
             "Sam Evans"                                               
             <sam at ...12337...                                         
             m>                                                         To
                                       "Victor Julien" <victor at ...12319...>  
             08/24/2004 08:46                                           cc
             AM                        "Jason Haar"                    
                                       <jason.haar at ...294...>,     
                                       snort-users at lists.sourceforge.net,
                                       "William Metcalf"               
                                       <william_metcalf at ...8458...>      
                                                                   Subject
                                       Re: [Snort-users] ClamAV        
                                       preprocessor                    
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       




Wow, this sounds really cool!  I didn't see a download link, but we could
offer up some of our sensors and heavy network traffic for testing.

-Sam


Victor Julien said:
> Hi Jason,
>
> On Tuesday 24 August 2004 02:53, Jason Haar wrote:
>> On Tue, Aug 17, 2004 at 11:09:14PM -0500, William Metcalf wrote:
>> >  I know that some of folks don't think that doing virus detection with
>> > and IDS is a good idea, but Victor Julien and I have developed a
>> > preprocessor that can detect virus activity in network traffic, using
>> a
>> > clamav c function and the clamav virus database.  On to the preproc,
>> you
>> > can enable
>>
>> Wow - freaky!
>
> :-)
>
>>
>> Have you got any stats on how such a preprocessor affects Snort?
>>
>> e.g. how much more CPU/memory load, FP rates, etc.
>>
>
> No, although with no hard data i can say the load seems to be ok.
>
>> As far as FP rates go, I mean as it's "just" an AV preprocessor (now
>> there's an understatement!), I assume it isn't also a SMB preprocessor -
>> so
>> it isn't translating raw network data back into files before letting
>> ClamAV
>> loose on it
>
> You are correct.
>
>> - so the chances for FP must be higher due to that.
>
> Well, maybe you are right, but i'm running it for a few weeks now, and
> haven't
> seen any fp. But this is one thing we need to find out by heavy testing
> :-).
>
> Regards,
> Victor
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040827/57c7d5a5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040827/57c7d5a5/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic02695.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040827/57c7d5a5/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040827/57c7d5a5/attachment-0002.gif>


More information about the Snort-users mailing list