Snort mailing list archives

RE: ClamAV preprocessor

From: "Adriel T. Desautels" <atd () secnetops com>
Date: Mon, 23 Aug 2004 22:05:46 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

never mind... I found it ;)
 
 
 

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of William
Metcalf
Sent: Wednesday, August 18, 2004 12:09 AM
To: snort-users () lists sourceforge net
Cc: Victor Julien; Rob () honeynet org
Subject: [Snort-users] ClamAV preprocessor



List, 

I know that some of folks don't think that doing virus detection with
and IDS is a good idea, but Victor Julien and I have developed a
preprocessor that can detect virus activity in network traffic, using
a clamav c function and the clamav virus database. On to the preproc,
you can enable the ClamAV preprocessor by running ./configure
- --enable-clamav. You can specify the include directory by doing
./configure --enable-clamav ---with-clamav-includes=DIR if clamav.h
can't be found by the configure or if the dbdir can't be found you
may specify with configure by ./configure --enable-clamav
- --with-clamav-defdir=DIR. You must have clamav and clamav.h available
we do not provide it in the patch. 

Onto the preprocessor configuration options:

turn on clamav by going into snort.conf

preprocessor clamav

This turns on the defaults for clamav which are to listen on ports 21
25 80 81 110 119 139 445 143
uses the default database location of /var/lib/clamav unless another
dbdir was specified at ./configure
Alerts are written to alert logs.

options are 

preprocessor clamav: ports {portlist separated by " "}, {flow can be
toclientonly or toserveronly or defaults to both} {action option is
disabled unless running snort_inline in which case we can drop or
reject the packet},{dbdir}

so 

preprocessor clamav: ports all !25 !443 !22


will turn on clamav and will listen for virus activity on all ports
except 25 443 22 and write to the alert file if a virus is detected.


preprocessor clamav: ports 139 445 21, toclientonly, dbdir
/var/lib2/clamav

will turn on clamav, will listen for virus activity on ports 129 445
21 will only watch traffic that flows to the client, sets the
virus-sig database path to /var/lib2/clamav 


Will try to put together some better documentation...... but either
way here is the patch

depending on OS some may need to run the following command before
running configure otherwise it will not configure properly.

libtoolize -f && aclocal && autoheader && automake && autoconf
or
autoreconf -f

Regards,

William Metcalf

download the patch from:

https://sourceforge.net/tracker/?atid=553469&group_id=78497&func=brows
e



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQSqierR5YB3MHZrzEQJsGgCfZtu7RAOtixi3tIjE5W6tn6jVpIwAnR/L
d2/paRij/fvVrP8vR9LuKGNU
=g26I
-----END PGP SIGNATURE-----

Attachment: PGPexch.htm.pgp
Description:

Current thread:

Re: Good Snort Signatures, (continued)
- - - Re: Good Snort Signatures sekure (Aug 24)
    - Re: Good Snort Signatures Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
    - Re: Good Snort Signatures James Riden (Aug 24)
    - RE: Good Snort Signatures Patrick S. Harper (Aug 24)
    - RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
    - RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
    - Re: ClamAV preprocessor William Metcalf (Aug 27)
- RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)