[Snort-users] Integrating ClamAv into Snort

Joel Esler jesler at ...1935...
Tue Feb 12 19:13:48 EST 2013


OpenFPC development as stalled because Leon moved to a different role in the company that takes up more of his time ;)

It still works, just because it's not being actively developed doesn't mean it doesn't work.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 12, 2013, at 3:33 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> It seems the development for OpenFPC has stalled.. there hasn't been a
> lot of movement with it.  That being said, when it works and the queue
> agent is listening, it's awesome.
> 
> On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
>> Thanks Shawn. While I was waiting for the reply, I went through their sites
>> and they both look interesting. However, I've been hearing about OpenFPC
>> maybe it's something I will look into. Hopefully RazorBack will have full
>> documentation on how to integrate it into Snort.
>> 
>> I really appreciate your response and showing me some new stuff I've never
>> heard of today. A new learning curve.
>> 
>> Ayo
>> 
>> 
>> On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
>> <Shawn.Jefferson at ...14448...> wrote:
>>> 
>>> There are websites for both products that are very easy to find.
>>> 
>>> 
>>> 
>>> Basically, both products are essentially monitoring systems that can carve
>>> out specific things from your network streams, like downloaded files, and
>>> these can then be run through ClamAV or other executable checking tools.
>>> Personally, I don’t use them, but I carve out specific files that were
>>> alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze these on
>>> a case by case basis.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> From: Ayodele Okeowo [mailto:aymacro at ...11827...]
>>> Sent: Tuesday, February 12, 2013 10:42 AM
>>> To: Jefferson, Shawn
>>> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
>>> 
>>> 
>>> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>>> 
>>> 
>>> 
>>> Sorry I meant Shawn.
>>> 
>>>>> 
>>> I'm looking up the tools but I'm trying to understand what they do;
>>> although I have a little idea but there seems to be no place on what it is,
>>> what's used for and the purpose of the tools.
>>> 
>>> Any intake on that?
>>> 
>>> Ayo
>>> 
>>> 
>>> 
>>> On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
>>> <Shawn.Jefferson at ...14448...> wrote:
>>> 
>>> What you are looking for is something like RazorBack, or possibly BroIDS.
>>> 
>>> 
>>> -----Original Message-----
>>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>>> Sent: Tuesday, February 12, 2013 10:01 AM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>>> 
>>> On 2/12/2013 11:48, Ayodele Okeowo wrote:
>>>> folks,
>>>> 
>>>> Has anyone successfully integrated or used ClamAv with Snort? if, Yes,
>>>> please could you share how and what documentation to read to be able to
>>>> implement this?
>>> 
>>> for what reason? if you are thinking about scanning files that users
>>> transfer, then you want to include additional packages along side of your
>>> snort... these would perform full packet capture and then offer slicing out
>>> the files for analysis...
>>> 
>>> snort needs to sniff and sniff only... it doesn't need to worry about
>>> things like scanning for viruses or even trying to log to a database...
>>> these things slow snort down and traffic is lost or otherwise not
>>> analyzed... that's not a GoodThing<tm>... leave these tasks to other apps to
>>> handle ;)
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Free Next-Gen Firewall Hardware Offer
>>> Buy your Sophos next-gen firewall before the end March 2013 and get the
>>> hardware for free! Learn more.
>>> http://p.sf.net/sfu/sophos-d2d-feb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Free Next-Gen Firewall Hardware Offer
>>> Buy your Sophos next-gen firewall before the end March 2013
>>> and get the hardware for free! Learn more.
>>> http://p.sf.net/sfu/sophos-d2d-feb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>> 
>>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130212/e1686543/attachment.html>


More information about the Snort-users mailing list