Menu
▾
▴
Re: [Snort-inline-users] snortinline-clamav crashes snort_inline
|
From: Roman G. <sl...@sl...> - 2007-04-13 21:13:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman Glebov wrote: > Hier is the file which crashes clamav when you download it other > ftp: > > http://sleon.dyndns.org/~sleon/b54d95391450d7d4a9a955c20eef36bf.EXE > > > try it :)))) i am using clamav clamscan --version ClamAV > 0.88.5/2035/Sun Oct 15 22:42:30 2006 > > > Roman Glebov wrote: >> I am testing clamav-snort_inline now. > >> I have here 3000 viruses which i download with ftp. On some virus >> it chokes and brings intput-output error (output by snort log). >> This causes the whole snort_inline to crash! > >> Any ideas how to prevent whole snort_inline from crashing when >> clamav gets problems ? > >> With regards > >> Roman Glebov > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys-and > earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Snort-inline-users > mailing list Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > Ok now i upgraded to latest clamav. ClamAV 0.90.2/2035/Sun Oct 15 22:42:30 2006 clamscan gives following output clamscan 01296e4293cabec32e1f516185b15235.EXE LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** 01296e4293cabec32e1f516185b15235.EXE: OK - ----------- SCAN SUMMARY ----------- Known viruses: 73019 Engine version: 0.90.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.30 MB Time: 2.070 sec (0 m 2 s) but snort_inline becomes : Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 6> Preprocessor Object: SF_DNS Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> Not Using PCAP_FRAMES 04/13-23:05:33.027756 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:33.028802 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:37.524721 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:37.525568 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:39.936354 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:7868 -> 192.168.2.50:41734 ERROR: ClamAV scan error: Input/Output error. Fatal Error, Quitting.. when it gets this file. the link to file is at : http://sleon.dyndns.org/~sleon/01296e4293cabec32e1f516185b15235.EXE try it out. i attach my snort_inline config :) by the way with this settings i get 190mb/s! on the dualcore p4 server Roman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/x9rhQu20hGMIkAQKxcA/+PtSXVn6C51jPvV3IuvUqRUJzuzG/7sOm 4mC/G0Ay8LpJQIrpt0bzmYfbEcasWsKEJaFaLuZB4Ysv6SDI3UqFG9YHO1qPDCII KXWMOIgDrRTmZZsY/dnwArrTEbUR6rjsGGzNWlCtDoSEWzd7wnmfMmwDZhIW5rFb q3foT9aLqslbf5oOxSz9lOj8Qjfe/G5yRDXRJ/DzbUQJmHeeyxtLiWhQHZ8ejzlu r2LLX36UNUQPg5okLwsZz5lqXBXy3z4Mr0M3FD5dP0EfrSXhS+fTx1RMjcQ4uxJm Pl0s8FFLGwJkHxPPD2AUu+svk+kNxrc4eOs3xxh5CWiKh5JBPhu9XGdL2LqILeSh bk1dAEwwncYxj2+EgeSwXhke3s35LQLCj7YtLfn1dTFeoY1FNtmF4JJ4gNJgr03T KOjGoxBVr4643R5x5vLQRkgS99WHJuo/ipAQo60MyZaCy92Er6Sa/pRJVQMRB1kM xsThJKeWtMMsXOs7m2OINlxKGGhejYPrM7wkXqNcy94+te3/KY9rFsuzJBwdP+dN 5GTEt+jFf3gWgyDVlWUBXjIDHBf+THU0wNCMINXsiy7MjI1ERCNZj+grpM8BcPT/ RWfNvOsgW1E4ZzrQ/iaitfvLQLshwFk7RztyUHs3OnVHstqZ7cbzg6fO02HTafqm 8THF4JkIzK4= =FQLg -----END PGP SIGNATURE----- |
