Re: [Snort-inline-users] snortinline-clamav crashes snort_inline

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Victor Julien wrote:
> Will Metcalf wrote:
>   
>> Looks like PE analysis code in clamav is causing it to blow up, we can 
>> add some code to deal with this return value but I want to dig into it 
>> a bit more before we decide to do so.
>>
>>     
> If you look at the negative returncodes from clamav.h you can see we 
> can't kill snort for (all of) them (as we assumed before):
>
> #define CL_EIO          -12 /* general I/O error */
> #define CL_EFORMAT      -13 /* bad format or broken file */
>
> My suggestion is to not use FatalError but create an alert for this, 
> something like "Virusscan Failed" and add an option to the configuration 
> to enable the admin to either pass or drop failed scans. While we are at 
> it we should do the same for the positive returncodes. What do you think?
>   
Okay, I've cooked up the attached patch to address the issue. The patch 
is against the SVN trunk. Comments are welcome!

Cheers,
Victor