Re: [Snort-inline-users] Clam AV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Excellent information, thank you.

Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes 
immediately on boot with this error:

rcmdsh: unknown user: ���$�PjV�s����� F��X
Bus error (core dumped)
localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline), 
uid 0: exited on signal 10 (core dumped)

gdb says:
(gdb) core-file snort_inline.core
Core was generated by `snort_inline'.
Program terminated with signal 10, Bus error.
#0  0x281cb2b0 in ?? ()
(gdb)

Any ideas?

Thanks!

Chris

Will Metcalf wrote:
>>1) Is ClamAV enabled in a default build of snort_inline?
> 
> 
> The code is there, but by default it is disabled. To enable
> ./configure --enable-clamav
> 
> 
>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>to upgrade the ClamAV engine without affecting snort_inline?
> 
> 
> libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
> or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
> 
> 
>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>re-read after a change? (Send a SIGHUP, restart, etc)
> 
> 
> SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
> interval at which to reread the AV database.  You still have to SIGHUP
> snort update the signatures.
> 
> Regards,
> 
> Will
> 
> On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
> <bla...@um...> wrote:
> 
>>Hi all, I have some basic questions about ClamAV support.
>>
>>1) Is ClamAV enabled in a default build of snort_inline?
>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>to upgrade the ClamAV engine without affecting snort_inline?
>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>re-read after a change? (Send a SIGHUP, restart, etc)
>>
>>Thanks!
>>
>>Chris
>>
>>
>>

-- 