Menu
▾
▴
Re: [Snort-inline-users] clamav preprocessor don't work
|
From: Victor J. <vi...@nk...> - 2005-10-12 21:27:06
|
davide belloni wrote: > Can i ask the reason of this line: > > File descriptor scanning mode: Disabled, using cl_scanbuf > Directory for tempfiles (file descriptor mode): '' > > ???? > Originally we used the cl_scanbuf function from clamav to scan the packet payload. This function however, is going to be removed from a future clamav release, so we were forced to look into alternatives. The file descriptor mode is what came out of this. Basicly it stores every payload on disk (can be a ramdisk for performance) and then scans the file. You can give the directory where the files are saved as an option to the clamav preprocessor. The file desc mode should be able to detect more viruses because of the way it works internally in clamav. Example: preprocessor clamav: ports all !22 !443, action-drop, dbreload-time 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline Regards, Victor |
