[Snort-users] deploying ClamAV with Snort IDS

Will Metcalf william.metcalf at ...11827...
Mon Feb 1 15:01:18 EST 2010


Hmmm I thought HAVP did support ftp when placed inside of a squid sandwhich,
although maybe this is incorrect.

Regards,

Will

On Mon, Feb 1, 2010 at 1:48 PM, Jason Haar <Jason.Haar at ...294...> wrote:

> On 02/02/2010 06:46 AM, Will Metcalf wrote:
> > If you are interested in stopping viruses in http/ftp traffic with
> > ClamAV I suggest you have a look at HAVP.  They do this better than we
> > did, the problem being that ClamAV expects a file so unless you do
> > some serious work writing protocol dissectors to hand it something in
> > a format it expects, most of the time it will only find viruses in
> > protocols where the file starts at the beginning of the payload i.e.
> > (no application headers present).  We add some rudimentary support for
> > http but HAVP is way more robust.
> >
>
> havp is great. If you have squid inline (ie the squid server is the
> router) or transparently inline (ie you configure your default route to
> redirect port 80 traffic to your proxy) then it equates to inline snort
> + AV for HTTP. (btw, havp does NOT support FTP - nor HTTPS - but the
> latter should be obvious). Also, it supports many AVs - not just clamAV
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100201/de6cb13f/attachment.html>


More information about the Snort-users mailing list