Re: deploying ClamAV with Snort IDS

["Randal T. Rioux" <randy () procyonlabs com>]

Indeed, HAVP is far better suited (best with Squid in a parent-proxy
configuration). I just set this up not too long ago:

http://www.procyonlabs.com/guides/linux/slackware/squid_guard_havp

Randy


On Mon, February 1, 2010 12:46 pm, Will Metcalf wrote:
> If you are interested in stopping viruses in http/ftp traffic with ClamAV
>  I suggest you have a look at HAVP.  They do this better than we did, the
>  problem being that ClamAV expects a file so unless you do some serious
> work writing protocol dissectors to hand it something in a format it
> expects, most of the time it will only find viruses in protocols where
> the file starts at the beginning of the payload i.e. (no application
> headers present).  We add some rudimentary support for http but HAVP is
> way more robust.
>
> Regards,
>
> Will
>
> On Mon, Feb 1, 2010 at 11:24 AM, Alan Brennan
> <alanbrennan1 () gmail com>wrote:
>
> > Hi guys,
> >
> > I wish to deploy Snort in IDS mode (sitting off a tap), but I also want
> >  to have detection of viruses, spyware, malware, etc.
> >
> > Apparently it is possible to integrate the Clam AntiVirus system with
> > Snort.
> >
> > However, does Snort have to be deplpoyed in Inline (IPS) mode to avail
> > of the ClamAV preprocessor? Can I install ClamAV when Snort is running
> > in passive/IDS mode?
> >
> > Also, can ClamAV module be used not only to detect viruses or malicious
> >  code but also to drop/block these viruses?
> >
> > Thanking you inadvance.
> >
> > Alan
> >
> >
> > -----------------------------------------------------------------------
> > ------- The Planet: dedicated and managed hosting, cloud storage,
> > colocation Stay online with enterprise data centers and the best
> > network in the business Choose flexible plans and management services
> > without long-term contracts Personal 24x7 support from experience
> > hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
> > _______________________________________________ Snort-users mailing
> > list Snort-users () lists sourceforge net Go to this URL to change user
> > options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0A
> > Snort-users>list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -------------------------------------------------------------------------
> ----- The Planet: dedicated and managed hosting, cloud storage,
> colocation Stay online with enterprise data centers and the best network
> in the business Choose flexible plans and management services without
> long-term contracts Personal 24x7 support from experience hosting pros
> just a phone call away.
> http://p.sf.net/sfu/theplanet-com________________________________________
> _______ Snort-users mailing list Snort-users () lists sourceforge net Go to
> this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
> archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users