Re: [Snort-inline-users] snortinline-clamav crashes snort_inline

[Roman G. <sl...@sl...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Victor Julien wrote:
> Will Metcalf wrote:
>> Looks like PE analysis code in clamav is causing it to blow up,
>> we can add some code to deal with this return value but I want to
>> dig into it a bit more before we decide to do so.
>>
> If you look at the negative returncodes from clamav.h you can see
> we can't kill snort for (all of) them (as we assumed before):
>
> #define CL_EIO          -12 /* general I/O error */ #define
> CL_EFORMAT      -13 /* bad format or broken file */
>
> My suggestion is to not use FatalError but create an alert for
> this, something like "Virusscan Failed" and add an option to the
> configuration to enable the admin to either pass or drop failed
> scans. While we are at it we should do the same for the positive
> returncodes. What do you think?
>
> Cheers, Victor
>
i think it is great idea!!

look, when i have ids in inline mode and it crashes because of this
thing.... it is something wich should never happen!

please let admins to choose .

thank you all,

roman glebov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRiDns7hQu20hGMIkAQL6lw//UCNJJtrMeCyzZrZskoqlTMSOjpo2Jo20
jdpjQegM6mWFR4MEnSsk/RhjZWzYssAQ36Gwxj+A7TA8U85OzahkOaI8EK6D6Loo
4/5s56twUaQKbdNpSDNySdli1pigVQnejjtNVun1Gn7o8/HbZPUfMAUV3BZOLbwl
n7ZajDtgstVzCnvVMdZ8ONnzuo+/8nXH2ai/ATp2DIBucB9rwEdwGZxEkL51Ot/S
UgCPlAz4k0FUC4ZC1PONaXFpaKvxN7Jl4jV5W1JK7ktPa2xgBQamUm87eHC/9/I7
dtmfW0IeR0mHrthKpOTY/APmzBMfydTpNmMfyKWO4Z8EjqEv5S1OUQ/H8iuJnJF2
hso0RumIPTlDxgkLLF8oOiueYWrjtK8/23nRRZdqruDqOo2D16Kep81TpHTwup4K
EvWQ89AEHJ9c8OdkVp3sDMPHeytx+ENkjSltEInmLTx54/7x9ElhREx3XFKjS1sS
pSxryRpuqrol/lThQRrMv0qNTXDOGSZjdtbS9igvWxt+DmmvDbc/R9K5SqCZLlSJ
Tp3H8gN5v3kvFuFejePp0Cy16Uk6O5qlcJzixCPp7xNE5gJ3VmB3A2s3B405GQWF
/Apc6bIGqnkYPaQS8cySVYuVMEfcApJpTelki1KBw8Ogx6xvfbwfE543C6TdLGbl
vIeAXpx2Smg=
=jrCr
-----END PGP SIGNATURE-----