Thread: [Snort-inline-users] snort with snort_inline and clamav

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users

[Snort-inline-users] snort with snort_inline and clamav

From: <ka...@ez...> - 2004-12-29 19:31:43

Ok, another clam question.

With snort 2.3RC2, I thought it had the snort_inline code
rolled in. Therefore I would assume clamav support.
However, no matter what I can get it to build with clamav.
On the same system, snort_inline 2.2.0a builds with clamav
and works flawlessly. 

I want to run snort_inline on a bridged port and then snort
on another interface, but I want both working with clamav
alerts. Is this possible, or should I just use the
snort_inline without the -Q option on the interface I want
the ALERTS only on??

thanks
Kat

Re: [Snort-inline-users] snort with snort_inline and clamav

From: Will M. <wil...@gm...> - 2004-12-29 20:02:29

> With snort 2.3RC2, I thought it had the snort_inline code
> rolled in. Therefore I would assume clamav support.
> However, no matter what I can get it to build with clamav.
> On the same system, snort_inline 2.2.0a builds with clamav
> and works flawlessly.

They decided they didn't want the clamav stuff in normal snort.  I'll
release a patch this weekend for clamav only against 2.3.0.  As soon
as Victor and I can find enough time finish up snort_inline-2.3.0 we
will release it with clamav+stickydrop+stream4inline.  Unfortunately
Victor and I both have full-time jobs and while  we would like to work
on snort_inline all the time we there just aren't enough hours in a
day.

> I want to run snort_inline on a bridged port and then snort
> on another interface, but I want both working with clamav
> alerts. Is this possible, or should I just use the
> snort_inline without the -Q option on the interface I want
> the ALERTS only on??

Yeah that should work fine.

Regards,

Will
On Wed, 29 Dec 2004 14:24:34 -0500, ka...@ez... <ka...@ez...> wrote:
> Ok, another clam question.
> 
> With snort 2.3RC2, I thought it had the snort_inline code
> rolled in. Therefore I would assume clamav support.
> However, no matter what I can get it to build with clamav.
> On the same system, snort_inline 2.2.0a builds with clamav
> and works flawlessly.
> 
> I want to run snort_inline on a bridged port and then snort
> on another interface, but I want both working with clamav
> alerts. Is this possible, or should I just use the
> snort_inline without the -Q option on the interface I want
> the ALERTS only on??
> 
> thanks
> Kat
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] snort with snort_inline and clamav

From: <ka...@ez...> - 2004-12-29 20:11:57

On Wed, 29 Dec 2004 14:02:21 -0600
 Will Metcalf <wil...@gm...> wrote:
>> With snort 2.3RC2, I thought it had the snort_inline
>code
>> rolled in. Therefore I would assume clamav support.
>> However, no matter what I can get it to build with
>clamav.
>> On the same system, snort_inline 2.2.0a builds with
>clamav
>> and works flawlessly.
>
>They decided they didn't want the clamav stuff in normal
>snort.  I'll
>release a patch this weekend for clamav only against
>2.3.0.  As soon
>as Victor and I can find enough time finish up
>snort_inline-2.3.0 we
>will release it with clamav+stickydrop+stream4inline.
> Unfortunately
>Victor and I both have full-time jobs and while  we would
>like to work
>on snort_inline all the time we there just aren't enough
>hours in a
>day.
>

>
>Yeah that should work fine.

It works fine this way and I added the suggested log change
to spp_clamav to get it to use the mysql stream/log since
it does not require a lot of speed. Even over stunnel, the
alerts are coming nicely -- and we just put in another 4 of
these things.... Great tool!!!!  BTW - if you need
additional testers - let me know.

Kat

Re: [Snort-inline-users] snort with snort_inline and clamav

From: Nick R. <ni...@ro...> - 2004-12-30 02:05:51

On Wed, 29 Dec 2004, Will Metcalf wrote:

>> With snort 2.3RC2, I thought it had the snort_inline code rolled in. 
>> Therefore I would assume clamav support. However, no matter what I can 
>> get it to build with clamav. On the same system, snort_inline 2.2.0a 
>> builds with clamav and works flawlessly.
>
> They decided they didn't want the clamav stuff in normal snort.  I'll 
> release a patch this weekend for clamav only against 2.3.0.  As soon as 
> Victor and I can find enough time finish up snort_inline-2.3.0 we will 
> release it with clamav+stickydrop+stream4inline.  Unfortunately Victor 
> and I both have full-time jobs and while we would like to work on 
> snort_inline all the time we there just aren't enough hours in a day.

 	I should have some pretty good documentation for
 	FreeBSD+snort_inline ready at some point here in the near future.
 	What format should I be creating these documents in?

 	Last I checked the code still works, but probably won't work on
 	the FreeBSD 5.X branch.  I'll try to get a patch ready for that
 	too.

 	I would also like to submit the snort_inline code to the FreeBSD
 	Ports Collection.  There already exists a snort port, but I would
 	like to get snort_inline split out of the main snort FreeBSD port.
 	Of course, I need your permission for such a thing.

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips