[Snort-users] Integrating ClamAv into Snort

Ayodele Okeowo aymacro at ...11827...
Wed Feb 13 11:52:57 EST 2013


Joel,

I'm currently reading the manual, I chose the book just to learn some
techniques. And by the way, are you releasing any book on Snort anytime
soon?

Ayo


On Wed, Feb 13, 2013 at 11:44 AM, Joel Esler <jesler at ...1935...> wrote:

> I'd recommend the current Snort Manual over the book.  The Book was
> written at Snort version 2.4.  The engine is vastly different now.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Tuesday, February 12, 2013 at 8:56 PM, Ayodele Okeowo wrote:
>
> Thanks for the clarification Joel. I'm infact looking into RazorBack now
> and I throw more questions if I happen to stumble.
>
> And by the way, I saw a book 'Snort 2.1' at Barnes & Noble which you
> happened to be a co-writer, I'm still expecting my copy from Amazon. I look
> forward to reading it.
>
> Ayo
>
>
> On Tue, Feb 12, 2013 at 7:14 PM, Joel Esler <jesler at ...1935...> wrote:
>
> Thank you (someone, I think it was Shawn) for recommending Razorback.
>
> This is exactly one of the millions of reasons that Razorback was
> designed.  Analyzing files in realtime is just not always feasible.  Hence
> why Razorback was invented.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Feb 12, 2013, at 3:46 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
> Thanks Jeremy and it's nice to know about the status of the tool. I'll
> play with it this week and see its awesomeness. And I will check out the
> RazorBack tonight though and go through the documentation.
>
> Thanks guys for the inputs.
> Ayo
>
>
> On Tue, Feb 12, 2013 at 3:33 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
> It seems the development for OpenFPC has stalled.. there hasn't been a
> lot of movement with it.  That being said, when it works and the queue
> agent is listening, it's awesome.
>
> On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
> > Thanks Shawn. While I was waiting for the reply, I went through their
> sites
> > and they both look interesting. However, I've been hearing about OpenFPC
> > maybe it's something I will look into. Hopefully RazorBack will have full
> > documentation on how to integrate it into Snort.
> >
> > I really appreciate your response and showing me some new stuff I've
> never
> > heard of today. A new learning curve.
> >
> > Ayo
> >
> >
> > On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
> > <Shawn.Jefferson at ...14448...> wrote:
> >>
> >> There are websites for both products that are very easy to find.
> >>
> >>
> >>
> >> Basically, both products are essentially monitoring systems that can
> carve
> >> out specific things from your network streams, like downloaded files,
> and
> >> these can then be run through ClamAV or other executable checking tools.
> >> Personally, I don’t use them, but I carve out specific files that were
> >> alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze
> these on
> >> a case by case basis.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> From: Ayodele Okeowo [mailto:aymacro at ...11827...]
> >> Sent: Tuesday, February 12, 2013 10:42 AM
> >> To: Jefferson, Shawn
> >> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
> >>
> >>
> >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
> >>
> >>
> >>
> >> Sorry I meant Shawn.
> >>
> >> >>
> >> I'm looking up the tools but I'm trying to understand what they do;
> >> although I have a little idea but there seems to be no place on what it
> is,
> >> what's used for and the purpose of the tools.
> >>
> >> Any intake on that?
> >>
> >> Ayo
> >>
> >>
> >>
> >> On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
> >> <Shawn.Jefferson at ...14448...> wrote:
> >>
> >> What you are looking for is something like RazorBack, or possibly
> BroIDS.
> >>
> >>
> >> -----Original Message-----
> >> From: waldo kitty [mailto:wkitty42 at ...14940...]
> >> Sent: Tuesday, February 12, 2013 10:01 AM
> >> To: snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
> >>
> >> On 2/12/2013 11:48, Ayodele Okeowo wrote:
> >> > folks,
> >> >
> >> > Has anyone successfully integrated or used ClamAv with Snort? if, Yes,
> >> > please could you share how and what documentation to read to be able
> to
> >> > implement this?
> >>
> >> for what reason? if you are thinking about scanning files that users
> >> transfer, then you want to include additional packages along side of
> your
> >> snort... these would perform full packet capture and then offer slicing
> out
> >> the files for analysis...
> >>
> >> snort needs to sniff and sniff only... it doesn't need to worry about
> >> things like scanning for viruses or even trying to log to a database...
> >> these things slow snort down and traffic is lost or otherwise not
> >> analyzed... that's not a GoodThing<tm>... leave these tasks to other
> apps to
> >> handle ;)
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Free Next-Gen Firewall Hardware Offer
> >> Buy your Sophos next-gen firewall before the end March 2013 and get the
> >> hardware for free! Learn more.
> >> http://p.sf.net/sfu/sophos-d2d-feb
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Free Next-Gen Firewall Hardware Offer
> >> Buy your Sophos next-gen firewall before the end March 2013
> >> and get the hardware for free! Learn more.
> >> http://p.sf.net/sfu/sophos-d2d-feb
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >>
> >>
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Free Next-Gen Firewall Hardware Offer
> > Buy your Sophos next-gen firewall before the end March 2013
> > and get the hardware for free! Learn more.
> > http://p.sf.net/sfu/sophos-d2d-feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
>
> http://p.sf.net/sfu/sophos-d2d-feb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130213/91ca51c6/attachment.html>


More information about the Snort-users mailing list