Re: [Snort-inline-users] Snort_inline and ClamAV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello, I thank you for your answer, indeed I have test with the virus
sober and it was to detect successfully, I did one test with a
compressed file,  the virus was not detected.  For what this
limitation whereas libclamav makes it possible to detect viruses in
compressed files?
Cordially.

On Mon, 14 Mar 2005 17:57:13 -0600, William Metcalf
<Wil...@kc...> wrote:
>  
> 
> If you are testing with eicar and clam.exe they won't do you any good. The
> "problem" is with the signature in the ClamAV database for these two test
> files. The signature for eicar and clame.exe is only triggered if the
> signature is at the beginning of a file or in this case a buffer. If you are
> downloading over the web, these signatures will not fire. Victor and I
> tested this weekend to make sure we could still catch live virii over port
> 80 and we could.
>  
>  Regards,
>  
>  Will
>  Mohamed Berzig <mb...@gm...>
>  
>  
>  
>  
>  
>  
>  
> Mohamed Berzig <mb...@gm...> 
>  Sent by: sno...@li... 
> 
> 03/14/2005 09:10 AM 
> Please respond to
>  Mohamed Berzig <mb...@gm...> 
> 
>  
> To
>  sno...@li... 
> 
>  
> cc
>  
> 
>  
> Subject
>  [Snort-inline-users] Snort_inline and ClamAV 
>  
>  
> small problem:  I can always download viruses via HTTP whereas I have
>  to configure the "preprocessor clamav" well, somebody has an idea on
>  my problem?
>  Here my configuration of snort_inline:  
>  
>  var HOME_NET any
>  var HONEYNET any
>  var EXTERNAL_NET any
>  var SMTP_SERVERS any
>  var TELNET_SERVERS any
>  var HTTP_SERVERS any
>  var SQL_SERVERS any
>  
>  var HTTP_PORTS 80
>  
>  var SHELLCODE_PORTS !80
>  
>  var ORACLE_PORTS 1521
>  
>  config checksum_mode: none
>  
>  var RULE_PATH rules
>  
>  config layer2resets
>  
>  preprocessor stickydrop: max_entries 3000,log
>  preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav
> 3000
>  
>  preprocessor flow: stats_interval 0 hash 2
>  
>  
>  preprocessor stream4: disable_evasion_alerts, stream4inline,
>  enforce_state, memcap 134217728, timeout 3600
>  preprocessor stream4_reassemble: both
>  
>  preprocessor clamav: ports all !22 !443, action-drop, dbdir
>  /usr/share/clamav, dbreload-time 43200
>  
>  preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>  
>  preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>  
>  preprocessor rpc_decode: 111 32771
>  
>  preprocessor bo
>  preprocessor telnet_decode
>  preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low }
>  
>  include /etc/snort/classification.config
>  include /etc/snort/reference.config
>  
>  include $RULE_PATH/exploit.rules
>  include $RULE_PATH/finger.rules
>  include $RULE_PATH/ftp.rules
>  include $RULE_PATH/telnet.rules
>  .
>  .
>  .
>  
>  
>  Here my configuration of iptables:
>  
>  iptables -A INPUT -p tcp --sport 80 -j QUEUE
>  iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
>  
>  
>  -------------------------------------------------------
>  SF email is sponsored by - The IT Product Guide
>  Read honest & candid reviews on hundreds of IT Products from real users.
>  Discover which products truly live up to the hype. Start reading now.
>  http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>  _______________________________________________
>  Snort-inline-users mailing list
>  Sno...@li...
>  https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  
>  
> 
> 
>