Re: [Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

Yes sir, that's the configuration it's currently running in on quite a 
few of our client machines.  This is the exact same image, but with the 
extra flag to configure.

Will Metcalf wrote:
> Hmmm does it work ok if you don't --enable-clamav?
> 
> Regards,
> 
> Will
> On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
> <bla...@um...> wrote:
> 
>>Excellent information, thank you.
>>
>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
>>immediately on boot with this error:
>>
>>rcmdsh: unknown user: ���$�PjV�s����� F��X
>>Bus error (core dumped)
>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
>>uid 0: exited on signal 10 (core dumped)
>>
>>gdb says:
>>(gdb) core-file snort_inline.core
>>Core was generated by `snort_inline'.
>>Program terminated with signal 10, Bus error.
>>#0  0x281cb2b0 in ?? ()
>>(gdb)
>>
>>Any ideas?
>>
>>Thanks!
>>
>>Chris
>>
>>Will Metcalf wrote:
>>
>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>
>>>
>>>The code is there, but by default it is disabled. To enable
>>>./configure --enable-clamav
>>>
>>>
>>>
>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>
>>>
>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
>>>
>>>
>>>
>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>
>>>
>>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
>>>interval at which to reread the AV database.  You still have to SIGHUP
>>>snort update the signatures.
>>>
>>>Regards,
>>>
>>>Will
>>>
>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
>>><bla...@um...> wrote:
>>>
>>>
>>>>Hi all, I have some basic questions about ClamAV support.
>>>>
>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>
>>>>Thanks!
>>>>
>>>>Chris
>>>>
>>>>
>>>>
>>
>>--
>>
>>
>>
> 
> 

--