[Snort-inline-users] Fwd: Clamav

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Sorry for replying to you directly. I'm replying to the list now.

---------- Forwarded message ----------
From: Francisco Mu=F1oz <per...@gm...>
Date: Nov 4, 2006 4:46 PM
Subject: Re: [Snort-inline-users] Clamav
To: Victor Julien <vi...@nk...>

Thanks a lot Victor, for the quick reply.

>
> > When i uncomment the "preprocessor clamav" line, all traffic is dropped=
.
>
> This behaviour is consistent with the directory spp_clamav uses not
> being usable for some reason.

Well, i suppose then the compile process is right, i must be doing somethin=
g
else wrong.
What else can i do to make it work? i'll do anything you say.

> #preprocessor clamav: toclientonly, ports all !22 !443, action-drop,
> > descriptor-temp-dir /clamscan, dbreload-time 43200
> Does the directory /clamscan (in the root filesystem) exist? If so, does
> Snort_inline have permissions to read and write there?

Yes, the directory exists. But using /tmp doesn't help either.

# This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 =
1
LABEL=3D/boot1            /boot                   ext3    defaults        1=
 2
none                    /dev/pts                devpts  gid=3D5,mode=3D620 =
 0 0
none                    /dev/shm                tmpfs   defaults        0 0
none                    /proc                   proc    defaults        0 0
none                    /sys                    sysfs   defaults        0 0
/dev/hdb4               swap                    swap    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 =
0

none                    /clamscan               tmpfs
mode=3D0775,size=3D64m,nr_inodes=3D256k 0 0
/dev/hdc                /media/cdrom            auto
pamconsole,exec,noauto,managed 0 0
/dev/hdb2               /tools                  ext3    defaults        1 1

and is currently mounted:

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                      37317304   3598848  31822828  11% /
/dev/hda1               101086     14894     80973  16% /boot
none                    517404         0    517404   0% /dev/shm
none                     65536         0     65536   0% /clamscan
/dev/hdb2             76306808  52932092  19498504  74% /tools

>
> >
> > i'm running snort_inline (for test purposes only)  this way:
> > snort_inline -c /etc/snort_inline/snort_inline.conf  -Q -N -l
> > /var/log/snort_inline -t /var/log/snort_inline -v
> -t means:
>        -t <dir>   Chroots process to <dir> after initialization
>
> I think this might be a problem. If you want to run snort_inline in a
> chroot (i've never tried this) make sure the temp directory for clamav
> exists in there.

I'll not be running snort_inline chrooted again. I thought it'd improve
performance.

Hope this helps!
> Victor
>
>
Thanks again.
--
Francisco