[Snort-users] deploying ClamAV with Snort IDS

Jason Haar Jason.Haar at ...294...
Mon Feb 1 14:48:56 EST 2010

On 02/02/2010 06:46 AM, Will Metcalf wrote:
> If you are interested in stopping viruses in http/ftp traffic with
> ClamAV I suggest you have a look at HAVP.  They do this better than we
> did, the problem being that ClamAV expects a file so unless you do
> some serious work writing protocol dissectors to hand it something in
> a format it expects, most of the time it will only find viruses in
> protocols where the file starts at the beginning of the payload i.e.
> (no application headers present).  We add some rudimentary support for
> http but HAVP is way more robust.

havp is great. If you have squid inline (ie the squid server is the
router) or transparently inline (ie you configure your default route to
redirect port 80 traffic to your proxy) then it equates to inline snort
+ AV for HTTP. (btw, havp does NOT support FTP - nor HTTPS - but the
latter should be obvious). Also, it supports many AVs - not just clamAV


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list