[Snort-users] Integrating ClamAv into Snort

Ayodele Okeowo aymacro at ...11827...
Tue Feb 12 20:56:28 EST 2013


Thanks for the clarification Joel. I'm infact looking into RazorBack now
and I throw more questions if I happen to stumble.

And by the way, I saw a book 'Snort 2.1' at Barnes & Noble which you
happened to be a co-writer, I'm still expecting my copy from Amazon. I look
forward to reading it.

Ayo


On Tue, Feb 12, 2013 at 7:14 PM, Joel Esler <jesler at ...1935...> wrote:

> Thank you (someone, I think it was Shawn) for recommending Razorback.
>
> This is exactly one of the millions of reasons that Razorback was
> designed.  Analyzing files in realtime is just not always feasible.  Hence
> why Razorback was invented.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Feb 12, 2013, at 3:46 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
> Thanks Jeremy and it's nice to know about the status of the tool. I'll
> play with it this week and see its awesomeness. And I will check out the
> RazorBack tonight though and go through the documentation.
>
> Thanks guys for the inputs.
> Ayo
>
>
> On Tue, Feb 12, 2013 at 3:33 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> It seems the development for OpenFPC has stalled.. there hasn't been a
>> lot of movement with it.  That being said, when it works and the queue
>> agent is listening, it's awesome.
>>
>> On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro at ...11827...>
>> wrote:
>> > Thanks Shawn. While I was waiting for the reply, I went through their
>> sites
>> > and they both look interesting. However, I've been hearing about OpenFPC
>> > maybe it's something I will look into. Hopefully RazorBack will have
>> full
>> > documentation on how to integrate it into Snort.
>> >
>> > I really appreciate your response and showing me some new stuff I've
>> never
>> > heard of today. A new learning curve.
>> >
>> > Ayo
>> >
>> >
>> > On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
>> > <Shawn.Jefferson at ...14448...> wrote:
>> >>
>> >> There are websites for both products that are very easy to find.
>> >>
>> >>
>> >>
>> >> Basically, both products are essentially monitoring systems that can
>> carve
>> >> out specific things from your network streams, like downloaded files,
>> and
>> >> these can then be run through ClamAV or other executable checking
>> tools.
>> >> Personally, I don’t use them, but I carve out specific files that were
>> >> alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze
>> these on
>> >> a case by case basis.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> From: Ayodele Okeowo [mailto:aymacro at ...11827...]
>> >> Sent: Tuesday, February 12, 2013 10:42 AM
>> >> To: Jefferson, Shawn
>> >> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
>> >>
>> >>
>> >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>> >>
>> >>
>> >>
>> >> Sorry I meant Shawn.
>> >>
>> >> >>
>> >> I'm looking up the tools but I'm trying to understand what they do;
>> >> although I have a little idea but there seems to be no place on what
>> it is,
>> >> what's used for and the purpose of the tools.
>> >>
>> >> Any intake on that?
>> >>
>> >> Ayo
>> >>
>> >>
>> >>
>> >> On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
>> >> <Shawn.Jefferson at ...14448...> wrote:
>> >>
>> >> What you are looking for is something like RazorBack, or possibly
>> BroIDS.
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: waldo kitty [mailto:wkitty42 at ...14940...]
>> >> Sent: Tuesday, February 12, 2013 10:01 AM
>> >> To: snort-users at lists.sourceforge.net
>> >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
>> >>
>> >> On 2/12/2013 11:48, Ayodele Okeowo wrote:
>> >> > folks,
>> >> >
>> >> > Has anyone successfully integrated or used ClamAv with Snort? if,
>> Yes,
>> >> > please could you share how and what documentation to read to be able
>> to
>> >> > implement this?
>> >>
>> >> for what reason? if you are thinking about scanning files that users
>> >> transfer, then you want to include additional packages along side of
>> your
>> >> snort... these would perform full packet capture and then offer
>> slicing out
>> >> the files for analysis...
>> >>
>> >> snort needs to sniff and sniff only... it doesn't need to worry about
>> >> things like scanning for viruses or even trying to log to a database...
>> >> these things slow snort down and traffic is lost or otherwise not
>> >> analyzed... that's not a GoodThing<tm>... leave these tasks to other
>> apps to
>> >> handle ;)
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Free Next-Gen Firewall Hardware Offer
>> >> Buy your Sophos next-gen firewall before the end March 2013 and get the
>> >> hardware for free! Learn more.
>> >> http://p.sf.net/sfu/sophos-d2d-feb
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> >> news!
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Free Next-Gen Firewall Hardware Offer
>> >> Buy your Sophos next-gen firewall before the end March 2013
>> >> and get the hardware for free! Learn more.
>> >> http://p.sf.net/sfu/sophos-d2d-feb
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> >> news!
>> >>
>> >>
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Free Next-Gen Firewall Hardware Offer
>> > Buy your Sophos next-gen firewall before the end March 2013
>> > and get the hardware for free! Learn more.
>> > http://p.sf.net/sfu/sophos-d2d-feb
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
>
> http://p.sf.net/sfu/sophos-d2d-feb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130212/9a01049e/attachment.html>


More information about the Snort-users mailing list