Menu
▾
▴
snort-inline-users
|
From: Roman G. <sl...@sl...> - 2007-04-13 19:31:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am testing clamav-snort_inline now. I have here 3000 viruses which i download with ftp. On some virus it chokes and brings intput-output error (output by snort log). This causes the whole snort_inline to crash! Any ideas how to prevent whole snort_inline from crashing when clamav gets problems ? With regards Roman Glebov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/Z/7hQu20hGMIkAQLQuhAAoe76UDBviYOOYfYiTmwsapfp/HjmFeoe 6i1nyFkDpNe6rCEUX+tfNJXpjrmE9MKU15a4Mw+Xfk3PpvOeNPz4yw364I+rjGpZ tZIaj1i+8JcEQ0Ry15DlFui1dvoPFzq4eWhKb1zB4Xeal2bS79TYJx6FrFwsxcPt x0KD8tWLpzuN2YNR5CztjOow9vPSbKNuvruAHcQ6KsSHPsNBu9qEgCXimV1RHyel YNUaeo42VypvHlXtkZztIMnd2wqnviuAMFw6Y1WOwaJKYTVAtG9RnQAYfSeUVbfN 5KnfV9BL3ew58hLi+mjf4WexE5Yz6R6wHlASR7FaHIoRBX/oZ3Gq4FCzAPwSMwBS sUHN38tGjhjMFvLNtKJSMddO1L8J2WYLoJtcHV3XTSyHbsmA6Wr27IGjQas19Cc9 yQjR3DCAOjvMF2pIKf2io88ywHGceCgGSitzenb/pC6gSNlF9GyiMjijYRElugHw 39UzjDJEXl2Sk3WNdILJq8bM6+qCopIqXYDf0UiBZwUvFarp9fom7pcMVvHsF6B1 q6aJT7gTqpX7xbj6nUu8FllSwP9wPX7x4RvRxMibtkHRwxtkou4b8505OFI12PB7 h9URFix9mQ+zjNp004NVeT69vb3UmEajGmvQ2SNSbKMrPBlujpXod6TWAH4vB0cU Sv/Z3jEXXFE= =6GJO -----END PGP SIGNATURE----- |
|
From: Roman G. <sl...@sl...> - 2007-04-13 19:59:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hier is the file which crashes clamav when you download it other ftp: http://sleon.dyndns.org/~sleon/b54d95391450d7d4a9a955c20eef36bf.EXE try it :)))) i am using clamav clamscan --version ClamAV 0.88.5/2035/Sun Oct 15 22:42:30 2006 Roman Glebov wrote: > I am testing clamav-snort_inline now. > > I have here 3000 viruses which i download with ftp. On some virus > it chokes and brings intput-output error (output by snort log). > This causes the whole snort_inline to crash! > > Any ideas how to prevent whole snort_inline from crashing when > clamav gets problems ? > > With regards > > Roman Glebov - ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/gnrhQu20hGMIkAQJ6ABAAl56YjfJqhc4DpS15LyHlhUDY9Stm1DER OIOU5tqdwYBDEAZniId1IWomUeH6R17q437BvNS3Mva8Qd6sIr/1Gjlm233VhfFk 1W7G9kjh5CeFm3SwjU2rD2RuxbJ66lbsrQveElCATANJ45+nKGmEZihCSO4fiv6M xf0GknGBbLWIfKHwE4fH1E9RbTivgjB4CKC26GeoMxPLWdEGxIV3V2MKCflkNYD4 h4tXkPodoxS1hfJonNzYRVtBqctyl5uFwJNDsJI/yxFgvUi9LDN32orR/Jy/xNgC H2FOH2rUvbhoprSgDkZknVSAJr19RbM3GxDqzQKjlOJKiII9YmlxZcZP075S98nk BQLN8OyNJCN+r+54JfOxzSIVaP/wppgoBsQGW75EfDqJF141J9y3t0W9PnpVog7/ MSFzhOMoM5vAywoK5S7CYLlPohCRHNKnnPiZVslHMjEHwISCfBWBDdCa8mmTwllL c9vHsAZ+TUAmmUwotSyKKCyeIL7hriSVo1OmIbSBeZMNPpfgFnZZvzqYe2lQ5cay fqGiSaSGl6QZhKyTMMKyrciOHHB2ymcquhqopfhf1IwoTwgPI27i5Zj+HBRtv3w/ qHT+/eG1/pbmgvDjRh3y1R547XoZd3qXTvxXgGBic4Al1zVLAncIwfMLn70evO3y s9DT4ijrSf0= =xTpc -----END PGP SIGNATURE----- |
|
From: Roman G. <sl...@sl...> - 2007-04-13 21:13:44
Attachments:
snort_inline.conf
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman Glebov wrote: > Hier is the file which crashes clamav when you download it other > ftp: > > http://sleon.dyndns.org/~sleon/b54d95391450d7d4a9a955c20eef36bf.EXE > > > try it :)))) i am using clamav clamscan --version ClamAV > 0.88.5/2035/Sun Oct 15 22:42:30 2006 > > > Roman Glebov wrote: >> I am testing clamav-snort_inline now. > >> I have here 3000 viruses which i download with ftp. On some virus >> it chokes and brings intput-output error (output by snort log). >> This causes the whole snort_inline to crash! > >> Any ideas how to prevent whole snort_inline from crashing when >> clamav gets problems ? > >> With regards > >> Roman Glebov > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys-and > earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Snort-inline-users > mailing list Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > Ok now i upgraded to latest clamav. ClamAV 0.90.2/2035/Sun Oct 15 22:42:30 2006 clamscan gives following output clamscan 01296e4293cabec32e1f516185b15235.EXE LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** 01296e4293cabec32e1f516185b15235.EXE: OK - ----------- SCAN SUMMARY ----------- Known viruses: 73019 Engine version: 0.90.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.30 MB Time: 2.070 sec (0 m 2 s) but snort_inline becomes : Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 6> Preprocessor Object: SF_DNS Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> Not Using PCAP_FRAMES 04/13-23:05:33.027756 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:33.028802 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:49702 -> 192.168.2.50:54457 04/13-23:05:37.524721 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:37.525568 [**] [132:1:1] (spp_clamav) Virus Found: ClamAV-Test-File [**] {TCP} 192.168.2.3:47192 -> 192.168.2.50:34144 04/13-23:05:39.936354 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 192.168.2.3:7868 -> 192.168.2.50:41734 ERROR: ClamAV scan error: Input/Output error. Fatal Error, Quitting.. when it gets this file. the link to file is at : http://sleon.dyndns.org/~sleon/01296e4293cabec32e1f516185b15235.EXE try it out. i attach my snort_inline config :) by the way with this settings i get 190mb/s! on the dualcore p4 server Roman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRh/x9rhQu20hGMIkAQKxcA/+PtSXVn6C51jPvV3IuvUqRUJzuzG/7sOm 4mC/G0Ay8LpJQIrpt0bzmYfbEcasWsKEJaFaLuZB4Ysv6SDI3UqFG9YHO1qPDCII KXWMOIgDrRTmZZsY/dnwArrTEbUR6rjsGGzNWlCtDoSEWzd7wnmfMmwDZhIW5rFb q3foT9aLqslbf5oOxSz9lOj8Qjfe/G5yRDXRJ/DzbUQJmHeeyxtLiWhQHZ8ejzlu r2LLX36UNUQPg5okLwsZz5lqXBXy3z4Mr0M3FD5dP0EfrSXhS+fTx1RMjcQ4uxJm Pl0s8FFLGwJkHxPPD2AUu+svk+kNxrc4eOs3xxh5CWiKh5JBPhu9XGdL2LqILeSh bk1dAEwwncYxj2+EgeSwXhke3s35LQLCj7YtLfn1dTFeoY1FNtmF4JJ4gNJgr03T KOjGoxBVr4643R5x5vLQRkgS99WHJuo/ipAQo60MyZaCy92Er6Sa/pRJVQMRB1kM xsThJKeWtMMsXOs7m2OINlxKGGhejYPrM7wkXqNcy94+te3/KY9rFsuzJBwdP+dN 5GTEt+jFf3gWgyDVlWUBXjIDHBf+THU0wNCMINXsiy7MjI1ERCNZj+grpM8BcPT/ RWfNvOsgW1E4ZzrQ/iaitfvLQLshwFk7RztyUHs3OnVHstqZ7cbzg6fO02HTafqm 8THF4JkIzK4= =FQLg -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2007-04-13 23:29:07
|
Looks like PE analysis code in clamav is causing it to blow up, we can add some code to deal with this return value but I want to dig into it a bit more before we decide to do so. Regards, Will clamscan /tmp/snort_inline-clamav-UlHUSu /tmp/snort_inline-clamav-UlHUSu: Input/Output error ----------- SCAN SUMMARY ----------- Known viruses: 108346 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 14.471 sec (0 m 14 s) clamscan --no-pe /tmp/snort_inline-clamav-UlHUSu /tmp/snort_inline-clamav-UlHUSu: OK ----------- SCAN SUMMARY ----------- Known viruses: 108346 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 14.276 sec (0 m 14 s) Regards, Will |
|
From: Victor J. <li...@in...> - 2007-04-13 23:37:48
|
Will Metcalf wrote: > Looks like PE analysis code in clamav is causing it to blow up, we can > add some code to deal with this return value but I want to dig into it > a bit more before we decide to do so. > If you look at the negative returncodes from clamav.h you can see we can't kill snort for (all of) them (as we assumed before): #define CL_EIO -12 /* general I/O error */ #define CL_EFORMAT -13 /* bad format or broken file */ My suggestion is to not use FatalError but create an alert for this, something like "Virusscan Failed" and add an option to the configuration to enable the admin to either pass or drop failed scans. While we are at it we should do the same for the positive returncodes. What do you think? Cheers, Victor |
|
From: Victor J. <li...@in...> - 2007-04-14 11:04:26
Attachments:
clamav-error-handling.diff
|
Victor Julien wrote: > Will Metcalf wrote: > >> Looks like PE analysis code in clamav is causing it to blow up, we can >> add some code to deal with this return value but I want to dig into it >> a bit more before we decide to do so. >> >> > If you look at the negative returncodes from clamav.h you can see we > can't kill snort for (all of) them (as we assumed before): > > #define CL_EIO -12 /* general I/O error */ > #define CL_EFORMAT -13 /* bad format or broken file */ > > My suggestion is to not use FatalError but create an alert for this, > something like "Virusscan Failed" and add an option to the configuration > to enable the admin to either pass or drop failed scans. While we are at > it we should do the same for the positive returncodes. What do you think? > Okay, I've cooked up the attached patch to address the issue. The patch is against the SVN trunk. Comments are welcome! Cheers, Victor |
|
From: Roman G. <sl...@sl...> - 2007-04-14 14:42:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Victor Julien wrote: > Will Metcalf wrote: >> Looks like PE analysis code in clamav is causing it to blow up, >> we can add some code to deal with this return value but I want to >> dig into it a bit more before we decide to do so. >> > If you look at the negative returncodes from clamav.h you can see > we can't kill snort for (all of) them (as we assumed before): > > #define CL_EIO -12 /* general I/O error */ #define > CL_EFORMAT -13 /* bad format or broken file */ > > My suggestion is to not use FatalError but create an alert for > this, something like "Virusscan Failed" and add an option to the > configuration to enable the admin to either pass or drop failed > scans. While we are at it we should do the same for the positive > returncodes. What do you think? > > Cheers, Victor > i think it is great idea!! look, when i have ids in inline mode and it crashes because of this thing.... it is something wich should never happen! please let admins to choose . thank you all, roman glebov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRiDns7hQu20hGMIkAQL6lw//UCNJJtrMeCyzZrZskoqlTMSOjpo2Jo20 jdpjQegM6mWFR4MEnSsk/RhjZWzYssAQ36Gwxj+A7TA8U85OzahkOaI8EK6D6Loo 4/5s56twUaQKbdNpSDNySdli1pigVQnejjtNVun1Gn7o8/HbZPUfMAUV3BZOLbwl n7ZajDtgstVzCnvVMdZ8ONnzuo+/8nXH2ai/ATp2DIBucB9rwEdwGZxEkL51Ot/S UgCPlAz4k0FUC4ZC1PONaXFpaKvxN7Jl4jV5W1JK7ktPa2xgBQamUm87eHC/9/I7 dtmfW0IeR0mHrthKpOTY/APmzBMfydTpNmMfyKWO4Z8EjqEv5S1OUQ/H8iuJnJF2 hso0RumIPTlDxgkLLF8oOiueYWrjtK8/23nRRZdqruDqOo2D16Kep81TpHTwup4K EvWQ89AEHJ9c8OdkVp3sDMPHeytx+ENkjSltEInmLTx54/7x9ElhREx3XFKjS1sS pSxryRpuqrol/lThQRrMv0qNTXDOGSZjdtbS9igvWxt+DmmvDbc/R9K5SqCZLlSJ Tp3H8gN5v3kvFuFejePp0Cy16Uk6O5qlcJzixCPp7xNE5gJ3VmB3A2s3B405GQWF /Apc6bIGqnkYPaQS8cySVYuVMEfcApJpTelki1KBw8Ogx6xvfbwfE543C6TdLGbl vIeAXpx2Smg= =jrCr -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X