[Snort-users] deploying ClamAV with Snort IDS

Randal T. Rioux randy at ...13561...
Mon Feb 1 13:03:07 EST 2010


Indeed, HAVP is far better suited (best with Squid in a parent-proxy
configuration). I just set this up not too long ago:

http://www.procyonlabs.com/guides/linux/slackware/squid_guard_havp

Randy


On Mon, February 1, 2010 12:46 pm, Will Metcalf wrote:
> If you are interested in stopping viruses in http/ftp traffic with ClamAV
>  I suggest you have a look at HAVP.  They do this better than we did, the
>  problem being that ClamAV expects a file so unless you do some serious
> work writing protocol dissectors to hand it something in a format it
> expects, most of the time it will only find viruses in protocols where
> the file starts at the beginning of the payload i.e. (no application
> headers present).  We add some rudimentary support for http but HAVP is
> way more robust.
>
> Regards,
>
> Will
>
> On Mon, Feb 1, 2010 at 11:24 AM, Alan Brennan
> <alanbrennan1 at ...11827...>wrote:
>
>> Hi guys,
>>
>> I wish to deploy Snort in IDS mode (sitting off a tap), but I also want
>>  to have detection of viruses, spyware, malware, etc.
>>
>> Apparently it is possible to integrate the Clam AntiVirus system with
>> Snort.
>>
>> However, does Snort have to be deplpoyed in Inline (IPS) mode to avail
>> of the ClamAV preprocessor? Can I install ClamAV when Snort is running
>> in passive/IDS mode?
>>
>> Also, can ClamAV module be used not only to detect viruses or malicious
>>  code but also to drop/block these viruses?
>>
>> Thanking you inadvance.
>>
>> Alan
>>
>>
>> -----------------------------------------------------------------------
>> ------- The Planet: dedicated and managed hosting, cloud storage,
>> colocation Stay online with enterprise data centers and the best
>> network in the business Choose flexible plans and management services
>> without long-term contracts Personal 24x7 support from experience
>> hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
>> _______________________________________________ Snort-users mailing
>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>> options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0A
>> Snort-users>list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> -------------------------------------------------------------------------
> ----- The Planet: dedicated and managed hosting, cloud storage,
> colocation Stay online with enterprise data centers and the best network
> in the business Choose flexible plans and management services without
> long-term contracts Personal 24x7 support from experience hosting pros
> just a phone call away.
> http://p.sf.net/sfu/theplanet-com________________________________________
> _______ Snort-users mailing list Snort-users at lists.sourceforge.net Go to
> this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
> archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list