Re: [Snort-inline-users] Clam AV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

They changed a function from 0.7x to 0.8x in libclamav, you should be
ok if you use snort-inline-2.3.0-RC1.  Do me a favor and downlolad and
try to compile support for 2.3.0-RC1, and let me know if you get the
same error.  I'll look at backporting the cl_buildtrie changes to
2.2.0.

Regards,

Wil

On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black
<bla...@um...> wrote:
> Yes sir, that's the configuration it's currently running in on quite a
> few of our client machines.  This is the exact same image, but with the
> extra flag to configure.
>=20
> Will Metcalf wrote:
> > Hmmm does it work ok if you don't --enable-clamav?
> >
> > Regards,
> >
> > Will
> > On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
> > <bla...@um...> wrote:
> >
> >>Excellent information, thank you.
> >>
> >>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
> >>immediately on boot with this error:
> >>
> >>rcmdsh: unknown user: =EF=BF=BD=EF=BF=BD=EF=BF=BD$=EF=BF=BDPj=04V=EF=BF=
=BDs=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD F=EF=BF=BD=EF=BF=BDX
> >>Bus error (core dumped)
> >>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
> >>uid 0: exited on signal 10 (core dumped)
> >>
> >>gdb says:
> >>(gdb) core-file snort_inline.core
> >>Core was generated by `snort_inline'.
> >>Program terminated with signal 10, Bus error.
> >>#0  0x281cb2b0 in ?? ()
> >>(gdb)
> >>
> >>Any ideas?
> >>
> >>Thanks!
> >>
> >>Chris
> >>
> >>Will Metcalf wrote:
> >>
> >>>>1) Is ClamAV enabled in a default build of snort_inline?
> >>>
> >>>
> >>>The code is there, but by default it is disabled. To enable
> >>>./configure --enable-clamav
> >>>
> >>>
> >>>
> >>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possibl=
e
> >>>>to upgrade the ClamAV engine without affecting snort_inline?
> >>>
> >>>
> >>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
> >>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
> >>>
> >>>
> >>>
> >>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databa=
ses
> >>>>re-read after a change? (Send a SIGHUP, restart, etc)
> >>>
> >>>
> >>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
> >>>interval at which to reread the AV database.  You still have to SIGHUP
> >>>snort update the signatures.
> >>>
> >>>Regards,
> >>>
> >>>Will
> >>>
> >>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
> >>><bla...@um...> wrote:
> >>>
> >>>
> >>>>Hi all, I have some basic questions about ClamAV support.
> >>>>
> >>>>1) Is ClamAV enabled in a default build of snort_inline?
> >>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possibl=
e
> >>>>to upgrade the ClamAV engine without affecting snort_inline?
> >>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databa=
ses
> >>>>re-read after a change? (Send a SIGHUP, restart, etc)
> >>>>
> >>>>Thanks!
> >>>>
> >>>>Chris
> >>>>
> >>>>
> >>>>
> >>
> >>--
> >>
> >>
> >>
> >
> >
>=20
> --
>=20
>=20
>