Re: [Snort-inline-users] Clamav

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Francisco Mu=F1oz wrote:
> (by the way, i'm using vuurmuur 0.5.71 to generate my iptables rules.
> Kudos to Victor Julien)
Thanks ;-)
>
> I did use a tmpfs directory and set permissions to 0755 on that.
> sometimes i let file-descriptor-dir unconfigured so snort_inline uses
> /tmp but no luck anyway.
>
> When i uncomment the "preprocessor clamav" line, all traffic is dropped.
This behaviour is consistent with the directory spp_clamav uses not
being usable for some reason.

> #preprocessor clamav: toclientonly, ports all !22 !443, action-drop,
> descriptor-temp-dir /clamscan, dbreload-time 43200
Does the directory /clamscan (in the root filesystem) exist? If so, does
Snort_inline have permissions to read and write there?
>
>
> i'm running snort_inline (for test purposes only)  this way:
> snort_inline -c /etc/snort_inline/snort_inline.conf  -Q -N -l
> /var/log/snort_inline -t /var/log/snort_inline -v
-t means:
       -t <dir>   Chroots process to <dir> after initialization

I think this might be a problem. If you want to run snort_inline in a
chroot (i've never tried this) make sure the temp directory for clamav
exists in there.

Hope this helps!
Victor