[Snort-users] Integrating ClamAv into Snort

Joel Esler jesler at ...1935...
Wed Feb 13 11:54:48 EST 2013


There are no plans to release an updated Snort book.  We simply update Snort too often, I think, to provide a lot of value out of a bound book.  But people still buy the 2.4 book, so I am not sure.   

I think it's wiser to keep your ear to the ground with http://blog.snort.org, http://vrt-blog.snort.org, and the www.snort.org/docs

I keep those pretty updated with new content all the time.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Wednesday, February 13, 2013 at 11:52 AM, Ayodele Okeowo wrote:

> Joel,
>  
> I'm currently reading the manual, I chose the book just to learn some techniques. And by the way, are you releasing any book on Snort anytime soon?
>  
> Ayo  
>  
> On Wed, Feb 13, 2013 at 11:44 AM, Joel Esler <jesler at ...1935... (mailto:jesler at ...1935...)> wrote:
> > I'd recommend the current Snort Manual over the book.  The Book was written at Snort version 2.4.  The engine is vastly different now.
> >  
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >  
> >  
> > On Tuesday, February 12, 2013 at 8:56 PM, Ayodele Okeowo wrote:
> >  
> > > Thanks for the clarification Joel. I'm infact looking into RazorBack now and I throw more questions if I happen to stumble.
> > >  
> > > And by the way, I saw a book 'Snort 2.1' at Barnes & Noble which you happened to be a co-writer, I'm still expecting my copy from Amazon. I look forward to reading it.  
> > >  
> > > Ayo  
> > >  
> > > On Tue, Feb 12, 2013 at 7:14 PM, Joel Esler <jesler at ...1935... (mailto:jesler at ...1935...)> wrote:
> > > > Thank you (someone, I think it was Shawn) for recommending Razorback.
> > > >  
> > > > This is exactly one of the millions of reasons that Razorback was designed.  Analyzing files in realtime is just not always feasible.  Hence why Razorback was invented.  
> > > >  
> > > > --
> > > > Joel Esler
> > > > Senior Research Engineer, VRT
> > > > OpenSource Community Manager
> > > > Sourcefire
> > > >  
> > > > On Feb 12, 2013, at 3:46 PM, Ayodele Okeowo <aymacro at ...11827... (mailto:aymacro at ...11827...)> wrote:  
> > > > > Thanks Jeremy and it's nice to know about the status of the tool. I'll play with it this week and see its awesomeness. And I will check out the RazorBack tonight though and go through the documentation.
> > > > >  
> > > > > Thanks guys for the inputs.  
> > > > > Ayo  
> > > > >  
> > > > > On Tue, Feb 12, 2013 at 3:33 PM, Jeremy Hoel <jthoel at ...11827... (mailto:jthoel at ...11827...)> wrote:
> > > > > > It seems the development for OpenFPC has stalled.. there hasn't been a
> > > > > > lot of movement with it.  That being said, when it works and the queue
> > > > > > agent is listening, it's awesome.
> > > > > >  
> > > > > > On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro at ...14540...27... (mailto:aymacro at ...11827...)> wrote:
> > > > > > > Thanks Shawn. While I was waiting for the reply, I went through their sites
> > > > > > > and they both look interesting. However, I've been hearing about OpenFPC
> > > > > > > maybe it's something I will look into. Hopefully RazorBack will have full
> > > > > > > documentation on how to integrate it into Snort.
> > > > > > >
> > > > > > > I really appreciate your response and showing me some new stuff I've never
> > > > > > > heard of today. A new learning curve.
> > > > > > >
> > > > > > > Ayo
> > > > > > >
> > > > > > >
> > > > > > > On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn
> > > > > > > <Shawn.Jefferson at ...14448... (mailto:Shawn.Jefferson at ...14534......)> wrote:
> > > > > > >>
> > > > > > >> There are websites for both products that are very easy to find.
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> Basically, both products are essentially monitoring systems that can carve
> > > > > > >> out specific things from your network streams, like downloaded files, and
> > > > > > >> these can then be run through ClamAV or other executable checking tools.
> > > > > > >> Personally, I don’t use them, but I carve out specific files that were
> > > > > > >> alerted on by Snort (I’m running StreamDB and OpenFPC), and analyze these on
> > > > > > >> a case by case basis.
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> From: Ayodele Okeowo [mailto:aymacro at ...11827...]
> > > > > > >> Sent: Tuesday, February 12, 2013 10:42 AM
> > > > > > >> To: Jefferson, Shawn
> > > > > > >> Cc: wkitty42 at ...14940... (mailto:wkitty42 at ...14940...); snort-users at lists.sourceforge.net (mailto:snort-users at lists.sourceforge.net)
> > > > > > >>
> > > > > > >>
> > > > > > >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> Sorry I meant Shawn.
> > > > > > >>
> > > > > > >> >>
> > > > > > >> I'm looking up the tools but I'm trying to understand what they do;
> > > > > > >> although I have a little idea but there seems to be no place on what it is,
> > > > > > >> what's used for and the purpose of the tools.
> > > > > > >>
> > > > > > >> Any intake on that?
> > > > > > >>
> > > > > > >> Ayo
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn
> > > > > > >> <Shawn.Jefferson at ...14448... (mailto:Shawn.Jefferson at ...14575...8...)> wrote:
> > > > > > >>
> > > > > > >> What you are looking for is something like RazorBack, or possibly BroIDS.
> > > > > > >>
> > > > > > >>
> > > > > > >> -----Original Message-----
> > > > > > >> From: waldo kitty [mailto:wkitty42 at ...14940...]
> > > > > > >> Sent: Tuesday, February 12, 2013 10:01 AM
> > > > > > >> To: snort-users at lists.sourceforge.net (mailto:snort-users at ...6193...sts.sourceforge.net)
> > > > > > >> Subject: Re: [Snort-users] Integrating ClamAv into Snort
> > > > > > >>
> > > > > > >> On 2/12/2013 11:48, Ayodele Okeowo wrote:
> > > > > > >> > folks,
> > > > > > >> >
> > > > > > >> > Has anyone successfully integrated or used ClamAv with Snort? if, Yes,
> > > > > > >> > please could you share how and what documentation to read to be able to
> > > > > > >> > implement this?
> > > > > > >>
> > > > > > >> for what reason? if you are thinking about scanning files that users
> > > > > > >> transfer, then you want to include additional packages along side of your
> > > > > > >> snort... these would perform full packet capture and then offer slicing out
> > > > > > >> the files for analysis...
> > > > > > >>
> > > > > > >> snort needs to sniff and sniff only... it doesn't need to worry about
> > > > > > >> things like scanning for viruses or even trying to log to a database...
> > > > > > >> these things slow snort down and traffic is lost or otherwise not
> > > > > > >> analyzed... that's not a GoodThing<tm>... leave these tasks to other apps to
> > > > > > >> handle ;)
> > > > > > >>
> > > > > > >>
> > > > > > >> ------------------------------------------------------------------------------
> > > > > > >> Free Next-Gen Firewall Hardware Offer
> > > > > > >> Buy your Sophos next-gen firewall before the end March 2013 and get the
> > > > > > >> hardware for free! Learn more.
> > > > > > >> http://p.sf.net/sfu/sophos-d2d-feb
> > > > > > >> _______________________________________________
> > > > > > >> Snort-users mailing list
> > > > > > >> Snort-users at lists.sourceforge.net (mailto:Snort-users at ...8192...sourceforge.net)
> > > > > > >> Go to this URL to change user options or unsubscribe:
> > > > > > >> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > >> Snort-users list archive:
> > > > > > >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > > > >>
> > > > > > >> Please visit http://blog.snort.org (http://blog.snort.org/) to stay current on all the latest Snort
> > > > > > >> news!
> > > > > > >>
> > > > > > >>
> > > > > > >> ------------------------------------------------------------------------------
> > > > > > >> Free Next-Gen Firewall Hardware Offer
> > > > > > >> Buy your Sophos next-gen firewall before the end March 2013
> > > > > > >> and get the hardware for free! Learn more.
> > > > > > >> http://p.sf.net/sfu/sophos-d2d-feb
> > > > > > >> _______________________________________________
> > > > > > >> Snort-users mailing list
> > > > > > >> Snort-users at lists.sourceforge.net (mailto:Snort-users at ...8192...sourceforge.net)
> > > > > > >> Go to this URL to change user options or unsubscribe:
> > > > > > >> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > >> Snort-users list archive:
> > > > > > >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > > > >>
> > > > > > >> Please visit http://blog.snort.org (http://blog.snort.org/) to stay current on all the latest Snort
> > > > > > >> news!
> > > > > > >>
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------------------------------------------------------
> > > > > > > Free Next-Gen Firewall Hardware Offer
> > > > > > > Buy your Sophos next-gen firewall before the end March 2013
> > > > > > > and get the hardware for free! Learn more.
> > > > > > > http://p.sf.net/sfu/sophos-d2d-feb
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users at lists.sourceforge.net (mailto:Snort-users at ...1844...ourceforge.net)
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > > > >
> > > > > > > Please visit http://blog.snort.org (http://blog.snort.org/) to stay current on all the latest Snort
> > > > > > > news!
> > > > >  
> > > > > ------------------------------------------------------------------------------
> > > > > Free Next-Gen Firewall Hardware Offer
> > > > > Buy your Sophos next-gen firewall before the end March 2013  
> > > > > and get the hardware for free! Learn more.
> > > > > http://p.sf.net/sfu/sophos-d2d-feb_______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net (mailto:Snort-users at ...635...eforge.net)
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > >  
> > > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!  
> > >  
> >  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130213/e9fe5d0e/attachment.html>


More information about the Snort-users mailing list