snort-inline-users

[Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

Hi all, I have some basic questions about ClamAV support.

1) Is ClamAV enabled in a default build of snort_inline?
2) How are snort_inline and ClamAV interconnected?  ie: is it possible 
to upgrade the ClamAV engine without affecting snort_inline?
3) In snort_inline 2.2.0a, how are the virus and IDS signature databases 
re-read after a change? (Send a SIGHUP, restart, etc)

Thanks!

Chris

Re: [Snort-inline-users] Clam AV

[Will M. <wil...@gm...>]

> 1) Is ClamAV enabled in a default build of snort_inline?

The code is there, but by default it is disabled. To enable
./configure --enable-clamav

> 2) How are snort_inline and ClamAV interconnected?  ie: is it possible
> to upgrade the ClamAV engine without affecting snort_inline?

libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x

> 3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
> re-read after a change? (Send a SIGHUP, restart, etc)

SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
interval at which to reread the AV database.  You still have to SIGHUP
snort update the signatures.

Regards,

Will

On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
<bla...@um...> wrote:
> Hi all, I have some basic questions about ClamAV support.
> 
> 1) Is ClamAV enabled in a default build of snort_inline?
> 2) How are snort_inline and ClamAV interconnected?  ie: is it possible
> to upgrade the ClamAV engine without affecting snort_inline?
> 3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
> re-read after a change? (Send a SIGHUP, restart, etc)
> 
> Thanks!
> 
> Chris
> 
> 
>

Re: [Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

Excellent information, thank you.

Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes 
immediately on boot with this error:

rcmdsh: unknown user: ���$�PjV�s����� F��X
Bus error (core dumped)
localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline), 
uid 0: exited on signal 10 (core dumped)

gdb says:
(gdb) core-file snort_inline.core
Core was generated by `snort_inline'.
Program terminated with signal 10, Bus error.
#0  0x281cb2b0 in ?? ()
(gdb)

Any ideas?

Thanks!

Chris

Will Metcalf wrote:
>>1) Is ClamAV enabled in a default build of snort_inline?
> 
> 
> The code is there, but by default it is disabled. To enable
> ./configure --enable-clamav
> 
> 
>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>to upgrade the ClamAV engine without affecting snort_inline?
> 
> 
> libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
> or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
> 
> 
>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>re-read after a change? (Send a SIGHUP, restart, etc)
> 
> 
> SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
> interval at which to reread the AV database.  You still have to SIGHUP
> snort update the signatures.
> 
> Regards,
> 
> Will
> 
> On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
> <bla...@um...> wrote:
> 
>>Hi all, I have some basic questions about ClamAV support.
>>
>>1) Is ClamAV enabled in a default build of snort_inline?
>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>to upgrade the ClamAV engine without affecting snort_inline?
>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>re-read after a change? (Send a SIGHUP, restart, etc)
>>
>>Thanks!
>>
>>Chris
>>
>>
>>

-- 

Re: [Snort-inline-users] Clam AV

[Will M. <wil...@gm...>]

Hmmm does it work ok if you don't --enable-clamav?

Regards,

Will
On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
<bla...@um...> wrote:
> Excellent information, thank you.
>=20
> Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
> immediately on boot with this error:
>=20
> rcmdsh: unknown user: =EF=BF=BD=EF=BF=BD=EF=BF=BD$=EF=BF=BDPj=04V=EF=BF=
=BDs=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD F=EF=BF=BD=EF=BF=BDX
> Bus error (core dumped)
> localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
> uid 0: exited on signal 10 (core dumped)
>=20
> gdb says:
> (gdb) core-file snort_inline.core
> Core was generated by `snort_inline'.
> Program terminated with signal 10, Bus error.
> #0  0x281cb2b0 in ?? ()
> (gdb)
>=20
> Any ideas?
>=20
> Thanks!
>=20
> Chris
>=20
> Will Metcalf wrote:
> >>1) Is ClamAV enabled in a default build of snort_inline?
> >
> >
> > The code is there, but by default it is disabled. To enable
> > ./configure --enable-clamav
> >
> >
> >>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
> >>to upgrade the ClamAV engine without affecting snort_inline?
> >
> >
> > libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
> > or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
> >
> >
> >>3) In snort_inline 2.2.0a, how are the virus and IDS signature database=
s
> >>re-read after a change? (Send a SIGHUP, restart, etc)
> >
> >
> > SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
> > interval at which to reread the AV database.  You still have to SIGHUP
> > snort update the signatures.
> >
> > Regards,
> >
> > Will
> >
> > On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
> > <bla...@um...> wrote:
> >
> >>Hi all, I have some basic questions about ClamAV support.
> >>
> >>1) Is ClamAV enabled in a default build of snort_inline?
> >>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
> >>to upgrade the ClamAV engine without affecting snort_inline?
> >>3) In snort_inline 2.2.0a, how are the virus and IDS signature database=
s
> >>re-read after a change? (Send a SIGHUP, restart, etc)
> >>
> >>Thanks!
> >>
> >>Chris
> >>
> >>
> >>
>=20
> --
>=20
>=20
>

Re: [Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

Yes sir, that's the configuration it's currently running in on quite a 
few of our client machines.  This is the exact same image, but with the 
extra flag to configure.

Will Metcalf wrote:
> Hmmm does it work ok if you don't --enable-clamav?
> 
> Regards,
> 
> Will
> On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
> <bla...@um...> wrote:
> 
>>Excellent information, thank you.
>>
>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
>>immediately on boot with this error:
>>
>>rcmdsh: unknown user: ���$�PjV�s����� F��X
>>Bus error (core dumped)
>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
>>uid 0: exited on signal 10 (core dumped)
>>
>>gdb says:
>>(gdb) core-file snort_inline.core
>>Core was generated by `snort_inline'.
>>Program terminated with signal 10, Bus error.
>>#0  0x281cb2b0 in ?? ()
>>(gdb)
>>
>>Any ideas?
>>
>>Thanks!
>>
>>Chris
>>
>>Will Metcalf wrote:
>>
>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>
>>>
>>>The code is there, but by default it is disabled. To enable
>>>./configure --enable-clamav
>>>
>>>
>>>
>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>
>>>
>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
>>>
>>>
>>>
>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>
>>>
>>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
>>>interval at which to reread the AV database.  You still have to SIGHUP
>>>snort update the signatures.
>>>
>>>Regards,
>>>
>>>Will
>>>
>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
>>><bla...@um...> wrote:
>>>
>>>
>>>>Hi all, I have some basic questions about ClamAV support.
>>>>
>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>
>>>>Thanks!
>>>>
>>>>Chris
>>>>
>>>>
>>>>
>>
>>--
>>
>>
>>
> 
> 

-- 

Re: [Snort-inline-users] Clam AV

[Will M. <wil...@gm...>]

They changed a function from 0.7x to 0.8x in libclamav, you should be
ok if you use snort-inline-2.3.0-RC1.  Do me a favor and downlolad and
try to compile support for 2.3.0-RC1, and let me know if you get the
same error.  I'll look at backporting the cl_buildtrie changes to
2.2.0.

Regards,

Wil


On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black
<bla...@um...> wrote:
> Yes sir, that's the configuration it's currently running in on quite a
> few of our client machines.  This is the exact same image, but with the
> extra flag to configure.
>=20
> Will Metcalf wrote:
> > Hmmm does it work ok if you don't --enable-clamav?
> >
> > Regards,
> >
> > Will
> > On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
> > <bla...@um...> wrote:
> >
> >>Excellent information, thank you.
> >>
> >>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
> >>immediately on boot with this error:
> >>
> >>rcmdsh: unknown user: =EF=BF=BD=EF=BF=BD=EF=BF=BD$=EF=BF=BDPj=04V=EF=BF=
=BDs=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD F=EF=BF=BD=EF=BF=BDX
> >>Bus error (core dumped)
> >>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
> >>uid 0: exited on signal 10 (core dumped)
> >>
> >>gdb says:
> >>(gdb) core-file snort_inline.core
> >>Core was generated by `snort_inline'.
> >>Program terminated with signal 10, Bus error.
> >>#0  0x281cb2b0 in ?? ()
> >>(gdb)
> >>
> >>Any ideas?
> >>
> >>Thanks!
> >>
> >>Chris
> >>
> >>Will Metcalf wrote:
> >>
> >>>>1) Is ClamAV enabled in a default build of snort_inline?
> >>>
> >>>
> >>>The code is there, but by default it is disabled. To enable
> >>>./configure --enable-clamav
> >>>
> >>>
> >>>
> >>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possibl=
e
> >>>>to upgrade the ClamAV engine without affecting snort_inline?
> >>>
> >>>
> >>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
> >>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
> >>>
> >>>
> >>>
> >>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databa=
ses
> >>>>re-read after a change? (Send a SIGHUP, restart, etc)
> >>>
> >>>
> >>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
> >>>interval at which to reread the AV database.  You still have to SIGHUP
> >>>snort update the signatures.
> >>>
> >>>Regards,
> >>>
> >>>Will
> >>>
> >>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
> >>><bla...@um...> wrote:
> >>>
> >>>
> >>>>Hi all, I have some basic questions about ClamAV support.
> >>>>
> >>>>1) Is ClamAV enabled in a default build of snort_inline?
> >>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possibl=
e
> >>>>to upgrade the ClamAV engine without affecting snort_inline?
> >>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databa=
ses
> >>>>re-read after a change? (Send a SIGHUP, restart, etc)
> >>>>
> >>>>Thanks!
> >>>>
> >>>>Chris
> >>>>
> >>>>
> >>>>
> >>
> >>--
> >>
> >>
> >>
> >
> >
>=20
> --
>=20
>=20
>

Re: [Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

I tried this with a clean build of 2.3.0-RC1, as well as using the
LDFLAGS=-pthread suggestion, both result in

localhost# /usr/local/bin/snort_inline
rcmdsh: unknown user:
\uffff\uffff\uffff\uffffjJ\uffff\uffff\uffffy\uffff\uffffPjW\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffffe\uffff[^_\uffff\uffff\uffffU\uffff\uffff\uffff\uffffLWVS\uffff
Bus error (core dumped)
localhost# Mar 10 13:13:35 localhost /kernel: pid 18143 (snort_inline),
uid 0: exited on signal 10 (core dumped)

Any ideas?  This is ClamAV 0.83 and snort_inline 2.3.0-RC1.  It appears
to be identical behavior.  Is there anything I should try deleting or
reinstalling that may be playing a part in this?  Or even just a way to
get more debugging information for you guys?

Thanks!
Chris

Will Metcalf wrote:
> They changed a function from 0.7x to 0.8x in libclamav, you should be
> ok if you use snort-inline-2.3.0-RC1.  Do me a favor and downlolad and
> try to compile support for 2.3.0-RC1, and let me know if you get the
> same error.  I'll look at backporting the cl_buildtrie changes to
> 2.2.0.
>
> Regards,
>
> Wil
>
>
> On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black
> <bla...@um...> wrote:
>
>>Yes sir, that's the configuration it's currently running in on quite a
>>few of our client machines.  This is the exact same image, but with the
>>extra flag to configure.
>>
>>Will Metcalf wrote:
>>
>>>Hmmm does it work ok if you don't --enable-clamav?
>>>
>>>Regards,
>>>
>>>Will
>>>On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
>>><bla...@um...> wrote:
>>>
>>>
>>>>Excellent information, thank you.
>>>>
>>>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
>>>>immediately on boot with this error:
>>>>
>>>>rcmdsh: unknown user: ���$�PjV�s����� F��X
>>>>Bus error (core dumped)
>>>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
>>>>uid 0: exited on signal 10 (core dumped)
>>>>
>>>>gdb says:
>>>>(gdb) core-file snort_inline.core
>>>>Core was generated by `snort_inline'.
>>>>Program terminated with signal 10, Bus error.
>>>>#0  0x281cb2b0 in ?? ()
>>>>(gdb)
>>>>
>>>>Any ideas?
>>>>
>>>>Thanks!
>>>>
>>>>Chris
>>>>
>>>>Will Metcalf wrote:
>>>>
>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>
>>>>>
>>>>>The code is there, but by default it is disabled. To enable
>>>>>./configure --enable-clamav
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>
>>>>>
>>>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
>>>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>
>>>>>
>>>>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
>>>>>interval at which to reread the AV database.  You still have to SIGHUP
>>>>>snort update the signatures.
>>>>>
>>>>>Regards,
>>>>>
>>>>>Will
>>>>>
>>>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
>>>>><bla...@um...> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Hi all, I have some basic questions about ClamAV support.
>>>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>Chris
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>--
>>>>
>>>>
>>>>
>>>
>>>
>>--
>>
>>
>>
>
>

--
Christopher Black
Interim Unix/Linux Administrator
University of Michigan | Physics OCS
bla...@um... | (734) 764-3348