[Snort-users] Integrating ClamAv into Snort

Jeremy Hoel jthoel at ...11827...
Tue Feb 12 15:33:28 EST 2013


It seems the development for OpenFPC has stalled.. there hasn't been a
lot of movement with it.  That being said, when it works and the queue
agent is listening, it's awesome.

On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
> Thanks Shawn. While I was waiting for the reply, I went through their sites
> and they both look interesting. However, I've been hearing about OpenFPC
> maybe it's something I will look into. Hopefully RazorBack will have full
> documentation on how to integrate it into Snort.
>
> I really appreciate your response and showing me some new stuff I've never
> heard of today. A new learning curve.
>
> Ayo
>
>
> On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
> <Shawn.Jefferson at ...14448...> wrote:
>>
>> There are websites for both products that are very easy to find.
>>
>>
>>
>> Basically, both products are essentially monitoring systems that can carve
>> out specific things from your network streams, like downloaded files, and
>> these can then be run through ClamAV or other executable checking tools.
>> Personally, I don’t use them, but I carve out specific files that were
>> alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze these on
>> a case by case basis.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> From: Ayodele Okeowo [mailto:aymacro at ...11827...]
>> Sent: Tuesday, February 12, 2013 10:42 AM
>> To: Jefferson, Shawn
>> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
>>
>>
>> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>>
>>
>>
>> Sorry I meant Shawn.
>>
>> >>
>> I'm looking up the tools but I'm trying to understand what they do;
>> although I have a little idea but there seems to be no place on what it is,
>> what's used for and the purpose of the tools.
>>
>> Any intake on that?
>>
>> Ayo
>>
>>
>>
>> On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
>> <Shawn.Jefferson at ...14448...> wrote:
>>
>> What you are looking for is something like RazorBack, or possibly BroIDS.
>>
>>
>> -----Original Message-----
>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>> Sent: Tuesday, February 12, 2013 10:01 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>>
>> On 2/12/2013 11:48, Ayodele Okeowo wrote:
>> > folks,
>> >
>> > Has anyone successfully integrated or used ClamAv with Snort? if, Yes,
>> > please could you share how and what documentation to read to be able to
>> > implement this?
>>
>> for what reason? if you are thinking about scanning files that users
>> transfer, then you want to include additional packages along side of your
>> snort... these would perform full packet capture and then offer slicing out
>> the files for analysis...
>>
>> snort needs to sniff and sniff only... it doesn't need to worry about
>> things like scanning for viruses or even trying to log to a database...
>> these things slow snort down and traffic is lost or otherwise not
>> analyzed... that's not a GoodThing<tm>... leave these tasks to other apps to
>> handle ;)
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013 and get the
>> hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list