Re: [Snort-inline-users] Snort_inline and ClamAV

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Tuesday 15 March 2005 14:42, Mohamed Berzig wrote:
> Hello, I thank you for your answer, indeed I have test with the virus
> sober and it was to detect successfully, I did one test with a
> compressed file,  the virus was not detected.  For what this
> limitation whereas libclamav makes it possible to detect viruses in
> compressed files?

The ClamAV preprocessor uses the cl_scanbuf function from libclamav. This 
function can only scan a raw databuffer for virusses. This buffer is not 
unpacked or preprocessed in any way. Furthermore, the data ClamAV 
preprocessor feeds to cl_scanbuf is almost never a complete file, but most of 
the time a part of it, together with html data for example (this makes 
unpacking impossible).

The ClamAV preprocessor is not a replacement for a HTTP Proxy that scans all 
downloaded files. The ClamAV  preprocessor (hopefully) is able to detect 
virusses that can execute immediately in the browser, im-client or 
email-client. At least that's how i use it :-)

In Snort_inline 2.3.2RC2 (hopefully out soon) we will introduce an option to 
also use cl_scandesc from libclamav. This should be able to detect some more 
virusses, but the problem of the partial and unclean buffer won't be fixed by 
it.

I hope this answers your question.

Regards,
Victor

> Cordially.
>
>
> On Mon, 14 Mar 2005 17:57:13 -0600, William Metcalf
>
> <Wil...@kc...> wrote:
> > If you are testing with eicar and clam.exe they won't do you any good.
> > The "problem" is with the signature in the ClamAV database for these two
> > test files. The signature for eicar and clame.exe is only triggered if
> > the signature is at the beginning of a file or in this case a buffer. If
> > you are downloading over the web, these signatures will not fire. Victor
> > and I tested this weekend to make sure we could still catch live virii
> > over port 80 and we could.
> >
> >  Regards,
> >
> >  Will
> >  Mohamed Berzig <mb...@gm...>
> >
> >
> >
> >
> >
> >
> >
> > Mohamed Berzig <mb...@gm...>
> >  Sent by: sno...@li...
> >
> > 03/14/2005 09:10 AM
> > Please respond to
> >  Mohamed Berzig <mb...@gm...>
> >
> >
> > To
> >  sno...@li...
> >
> >
> > cc
> >
> >
> >
> > Subject
> >  [Snort-inline-users] Snort_inline and ClamAV
> >
> >
> > small problem:  I can always download viruses via HTTP whereas I have
> >  to configure the "preprocessor clamav" well, somebody has an idea on
> >  my problem?
> >  Here my configuration of snort_inline:
> >
> >  var HOME_NET any
> >  var HONEYNET any
> >  var EXTERNAL_NET any
> >  var SMTP_SERVERS any
> >  var TELNET_SERVERS any
> >  var HTTP_SERVERS any
> >  var SQL_SERVERS any
> >
> >  var HTTP_PORTS 80
> >
> >  var SHELLCODE_PORTS !80
> >
> >  var ORACLE_PORTS 1521
> >
> >  config checksum_mode: none
> >
> >  var RULE_PATH rules
> >
> >  config layer2resets
> >
> >  preprocessor stickydrop: max_entries 3000,log
> >  preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000,
> > clamav 3000
> >
> >  preprocessor flow: stats_interval 0 hash 2
> >
> >
> >  preprocessor stream4: disable_evasion_alerts, stream4inline,
> >  enforce_state, memcap 134217728, timeout 3600
> >  preprocessor stream4_reassemble: both
> >
> >  preprocessor clamav: ports all !22 !443, action-drop, dbdir
> >  /usr/share/clamav, dbreload-time 43200
> >
> >  preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> >
> >  preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 } oversize_dir_length 500
> >
> >  preprocessor rpc_decode: 111 32771
> >
> >  preprocessor bo
> >  preprocessor telnet_decode
> >  preprocessor sfportscan: proto  { all } \
> >                          memcap { 10000000 } \
> >                          sense_level { low }
> >
> >  include /etc/snort/classification.config
> >  include /etc/snort/reference.config
> >
> >  include $RULE_PATH/exploit.rules
> >  include $RULE_PATH/finger.rules
> >  include $RULE_PATH/ftp.rules
> >  include $RULE_PATH/telnet.rules
> >  .
> >  .
> >  .
> >
> >
> >  Here my configuration of iptables:
> >
> >  iptables -A INPUT -p tcp --sport 80 -j QUEUE
> >  iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
> >
> >
> >  -------------------------------------------------------
> >  SF email is sponsored by - The IT Product Guide
> >  Read honest & candid reviews on hundreds of IT Products from real users.
> >  Discover which products truly live up to the hype. Start reading now.
> >  http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >  _______________________________________________
> >  Snort-inline-users mailing list
> >  Sno...@li...
> >  https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users