Snort mailing list archives
Re: Integrating ClamAv into Snort
From: Ayodele Okeowo <aymacro () gmail com>
Date: Wed, 13 Feb 2013 12:04:38 -0500
Awesome! I will definitely follow-up with the blogs which I've been and folks have been helpful and I'm glad to thank everyone including you. Ayo On Wed, Feb 13, 2013 at 11:54 AM, Joel Esler <jesler () sourcefire com> wrote:
There are no plans to release an updated Snort book. We simply update Snort too often, I think, to provide a lot of value out of a bound book. But people still buy the 2.4 book, so I am not sure. I think it's wiser to keep your ear to the ground with http://blog.snort.org, http://vrt-blog.snort.org, and the www.snort.org/docs I keep those pretty updated with new content all the time. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Wednesday, February 13, 2013 at 11:52 AM, Ayodele Okeowo wrote: Joel, I'm currently reading the manual, I chose the book just to learn some techniques. And by the way, are you releasing any book on Snort anytime soon? Ayo On Wed, Feb 13, 2013 at 11:44 AM, Joel Esler <jesler () sourcefire com>wrote: I'd recommend the current Snort Manual over the book. The Book was written at Snort version 2.4. The engine is vastly different now. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Tuesday, February 12, 2013 at 8:56 PM, Ayodele Okeowo wrote: Thanks for the clarification Joel. I'm infact looking into RazorBack now and I throw more questions if I happen to stumble. And by the way, I saw a book 'Snort 2.1' at Barnes & Noble which you happened to be a co-writer, I'm still expecting my copy from Amazon. I look forward to reading it. Ayo On Tue, Feb 12, 2013 at 7:14 PM, Joel Esler <jesler () sourcefire com> wrote: Thank you (someone, I think it was Shawn) for recommending Razorback. This is exactly one of the millions of reasons that Razorback was designed. Analyzing files in realtime is just not always feasible. Hence why Razorback was invented. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Feb 12, 2013, at 3:46 PM, Ayodele Okeowo <aymacro () gmail com> wrote: Thanks Jeremy and it's nice to know about the status of the tool. I'll play with it this week and see its awesomeness. And I will check out the RazorBack tonight though and go through the documentation. Thanks guys for the inputs. Ayo On Tue, Feb 12, 2013 at 3:33 PM, Jeremy Hoel <jthoel () gmail com> wrote: It seems the development for OpenFPC has stalled.. there hasn't been a lot of movement with it. That being said, when it works and the queue agent is listening, it's awesome. On Tue, Feb 12, 2013 at 8:25 PM, Ayodele Okeowo <aymacro () gmail com> wrote:Thanks Shawn. While I was waiting for the reply, I went through theirsitesand they both look interesting. However, I've been hearing about OpenFPC maybe it's something I will look into. Hopefully RazorBack will have full documentation on how to integrate it into Snort. I really appreciate your response and showing me some new stuff I'veneverheard of today. A new learning curve. Ayo On Tue, Feb 12, 2013 at 1:58 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:There are websites for both products that are very easy to find. Basically, both products are essentially monitoring systems that cancarveout specific things from your network streams, like downloaded files,andthese can then be run through ClamAV or other executable checking tools. Personally, I don’t use them, but I carve out specific files that were alerted on by Snort (I’m running StreamDB and OpenFPC), and analyzethese ona case by case basis. From: Ayodele Okeowo [mailto:aymacro () gmail com] Sent: Tuesday, February 12, 2013 10:42 AM To: Jefferson, Shawn Cc: wkitty42 () windstream net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Integrating ClamAv into Snort Sorry I meant Shawn.I'm looking up the tools but I'm trying to understand what they do; although I have a little idea but there seems to be no place on what itis,what's used for and the purpose of the tools. Any intake on that? Ayo On Tue, Feb 12, 2013 at 1:23 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote: What you are looking for is something like RazorBack, or possiblyBroIDS.-----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Tuesday, February 12, 2013 10:01 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Integrating ClamAv into Snort On 2/12/2013 11:48, Ayodele Okeowo wrote:folks, Has anyone successfully integrated or used ClamAv with Snort? if, Yes, please could you share how and what documentation to read to be abletoimplement this?for what reason? if you are thinking about scanning files that users transfer, then you want to include additional packages along side ofyoursnort... these would perform full packet capture and then offer slicingoutthe files for analysis... snort needs to sniff and sniff only... it doesn't need to worry about things like scanning for viruses or even trying to log to a database... these things slow snort down and traffic is lost or otherwise not analyzed... that's not a GoodThing<tm>... leave these tasks to otherapps tohandle ;)------------------------------------------------------------------------------Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Integrating ClamAv into Snort, (continued)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 12)
- Re: Integrating ClamAv into Snort Jefferson, Shawn (Feb 12)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 12)
- Re: Integrating ClamAv into Snort Jeremy Hoel (Feb 12)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 12)
- Re: Integrating ClamAv into Snort Joel Esler (Feb 12)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 12)
- Re: Integrating ClamAv into Snort Joel Esler (Feb 13)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 13)
- Re: Integrating ClamAv into Snort Joel Esler (Feb 13)
- Re: Integrating ClamAv into Snort Ayodele Okeowo (Feb 13)
- Re: Integrating ClamAv into Snort Joel Esler (Feb 12)