Re: [Snort-inline-users] Clam AV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

List,

Once again sorry for the delay.  I will try to answer all of your e-mail this=
 weekend.  I'm swamped with my paying job.

Regards,

Will
-----------------
Sent from my BlackBerry Handheld.

----- Original Message -----
From: snort-inline-users-admin
Sent: 03/10/2005 12:12 PM
To: Will Metcalf <wil...@gm...>
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Clam AV

I tried this with a clean build of 2.3.0-RC1, as well as using the
LDFLAGS=3D-pthread suggestion, both result in

localhost# /usr/local/bin/snort_inline
rcmdsh: unknown user:
\uffff\uffff\uffff\uffffjJ\uffff\uffff\uffffy\uffff\uffffPjW\uffff\uffff\ufff=
f\uffff\uffff\uffff\uffff\uffffe\uffff[^_\uffff\uffff\uffffU\uffff\uffff\ufff=
f\uffffLWVS\uffff
Bus error (core dumped)
localhost# Mar 10 13:13:35 localhost /kernel: pid 18143 (snort_inline),
uid 0: exited on signal 10 (core dumped)

Any ideas?  This is ClamAV 0.83 and snort_inline 2.3.0-RC1.  It appears
to be identical behavior.  Is there anything I should try deleting or
reinstalling that may be playing a part in this?  Or even just a way to
get more debugging information for you guys?

Thanks!
Chris

Will Metcalf wrote:
> They changed a function from 0.7x to 0.8x in libclamav, you should be
> ok if you use snort-inline-2.3.0-RC1.  Do me a favor and downlolad and
> try to compile support for 2.3.0-RC1, and let me know if you get the
> same error.  I'll look at backporting the cl_buildtrie changes to
> 2.2.0.
>
> Regards,
>
> Wil
>
>
> On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black
> <bla...@um...> wrote:
>
>>Yes sir, that's the configuration it's currently running in on quite a
>>few of our client machines.  This is the exact same image, but with the
>>extra flag to configure.
>>
>>Will Metcalf wrote:
>>
>>>Hmmm does it work ok if you don't --enable-clamav?
>>>
>>>Regards,
>>>
>>>Will
>>>On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
>>><bla...@um...> wrote:
>>>
>>>
>>>>Excellent information, thank you.
>>>>
>>>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
>>>>immediately on boot with this error:
>>>>
>>>>rcmdsh: unknown user: =EF=BF=BD=EF=BF=BD=EF=BF=BD$=EF=BF=BDPjV=EF=BF=BDs=
=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD F=EF=BF=BD=EF=BF=BDX
>>>>Bus error (core dumped)
>>>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
>>>>uid 0: exited on signal 10 (core dumped)
>>>>
>>>>gdb says:
>>>>(gdb) core-file snort_inline.core
>>>>Core was generated by `snort_inline'.
>>>>Program terminated with signal 10, Bus error.
>>>>#0  0x281cb2b0 in ?? ()
>>>>(gdb)
>>>>
>>>>Any ideas?
>>>>
>>>>Thanks!
>>>>
>>>>Chris
>>>>
>>>>Will Metcalf wrote:
>>>>
>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>
>>>>>
>>>>>The code is there, but by default it is disabled. To enable
>>>>>./configure --enable-clamav
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>
>>>>>
>>>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
>>>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>
>>>>>
>>>>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
>>>>>interval at which to reread the AV database.  You still have to SIGHUP
>>>>>snort update the signatures.
>>>>>
>>>>>Regards,
>>>>>
>>>>>Will
>>>>>
>>>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
>>>>><bla...@um...> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Hi all, I have some basic questions about ClamAV support.
>>>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>Chris
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>--
>>>>
>>>>
>>>>
>>>
>>>
>>--
>>
>>
>>
>
>

--
Christopher Black
Interim Unix/Linux Administrator
University of Michigan | Physics OCS
bla...@um... | (734) 764-3348