RE: [Snort-users] ClamAV preprocessor
This is a discussion on RE: [Snort-users] ClamAV preprocessor within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_000C_01C4895D.5CDC93E0 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-24-2004
|
|||
|
|||
RE: [Snort-users] ClamAV preprocessor
This is a multi-part message in MIME format.
------=_NextPart_000_000C_01C4895D.5CDC93E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 never mind... I found it ;) ________________________________ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of William Metcalf Sent: Wednesday, August 18, 2004 12:09 AM To: snort-users@lists.sourceforge.net Cc: Victor Julien; Rob@honeynet.org Subject: [Snort-users] ClamAV preprocessor List, I know that some of folks don't think that doing virus detection with and IDS is a good idea, but Victor Julien and I have developed a preprocessor that can detect virus activity in network traffic, using a clamav c function and the clamav virus database. On to the preproc, you can enable the ClamAV preprocessor by running ./configure - --enable-clamav. You can specify the include directory by doing ../configure --enable-clamav ---with-clamav-includes=DIR if clamav.h can't be found by the configure or if the dbdir can't be found you may specify with configure by ./configure --enable-clamav - --with-clamav-defdir=DIR. You must have clamav and clamav.h available we do not provide it in the patch. Onto the preprocessor configuration options: turn on clamav by going into snort.conf preprocessor clamav This turns on the defaults for clamav which are to listen on ports 21 25 80 81 110 119 139 445 143 uses the default database location of /var/lib/clamav unless another dbdir was specified at ./configure Alerts are written to alert logs. options are preprocessor clamav: ports {portlist separated by " "}, {flow can be toclientonly or toserveronly or defaults to both} {action option is disabled unless running snort_inline in which case we can drop or reject the packet},{dbdir} so preprocessor clamav: ports all !25 !443 !22 will turn on clamav and will listen for virus activity on all ports except 25 443 22 and write to the alert file if a virus is detected. preprocessor clamav: ports 139 445 21, toclientonly, dbdir /var/lib2/clamav will turn on clamav, will listen for virus activity on ports 129 445 21 will only watch traffic that flows to the client, sets the virus-sig database path to /var/lib2/clamav Will try to put together some better documentation...... but either way here is the patch depending on OS some may need to run the following command before running configure otherwise it will not configure properly. libtoolize -f && aclocal && autoheader && automake && autoconf or autoreconf -f Regards, William Metcalf download the patch from: https://sourceforge.net/tracker/?ati...497&func=brows e -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQSqierR5YB3MHZrzEQJsGgCfZtu7RAOtixi3tIjE5W6tn6 jVpIwAnR/L d2/paRij/fvVrP8vR9LuKGNU =g26I -----END PGP SIGNATURE----- ------=_NextPart_000_000C_01C4895D.5CDC93E0 Content-Type: application/octet-stream; name="PGPexch.htm.pgp" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PGPexch.htm.pgp" owGtV82OG8cRVmL4QoAHX3wxDJQYwIYNcobkcqX9IWlzlytrA6 242GUkCIYsN2d6OO3t6R5P95Ci BSHX/BwCBMglhyAIkltyyy0vkAB5hQAB8ggGAuSWqp4ZLrmWDR1MgDv L6q6qr6q+qu75+a2P3njz B6MP//DVX1efv/vPd3/79Vs//Ezc+v1vhv8Zv3P2j2fe9O0//zpd/OlX/33n3q3fDf/99//1//aL P6aL1Zs/O/06uvuvXz76S/2n9hZ9+rfHk+Ppk/MTuD89ewDnPzl6cHoMjZbvP9459v3xdFws9Lw2 TDOmjLBCKyZ9/+RhY1iv9Wl12L9/MhrTr7OT6Qhia9MW/zIXi8GxVpYr25quUg5B8WPQsPy59WOb yEMIYpYZbge5aTETCNFYW1nvPrt0CO547bbX3cM/nd7uXgMUS/jgk5OHJxej6eRi2PcrDEeT8RN6 jk8fQSiygbQZMCnmaiB5ZIf9y/PRQwgkM2awe2d/Z6+92+62ur32Xrfd7g379yYPpxCxgA9GmWAS 6rVAS50NftTGTxSBEV/xQXeo+IJnkAgVep4HpxDpXIUgLBx+0PfJBiIiT/hAICWe4XtqZtLDTdEm tG+ubon6RxeVUgF/klup9dUZN4bN+X3OQoQkmZoPuGrl5lXRU8UuwLLZqQr580GrQ5 LrkKcs1gmr YuwfDe9lOjno+0dDMEpnFq3yDEsVYuAfS2Gs8YzOs4BHOptzT3 GL+fo0YUJaffCaGk8B/UwUHPGY yQgmEZC/x0JKwRI0d8ZtgAsUPW68RE4UgB7zUHETslUTRvk8NxY6e02gIk Kne9Deh9FZqTPVhUa9 tgHp1WBKjeOg0HgkAqsz+HEuBVeHaOBCzz6OteIr3OuhUoUqn3 3BgxLYp5fXXp7CsWTJ6BGqphlP Mx1gsXTm1EqauH83Sr7+cT58gBCbUPi4GJ7CldJLsDGzYHTCQU dIO3mFhdbqfYsLQl0Vy6EWag4L kSEL6rWQWwSHfQtLYWNgSNTT8SUIAwzmWiNtQ86aMMvtdsDFTo jZgkOIfJc65SHqbMdSeAyYgsJP 6Zahx4WwKxAKMFlLnSG2jEWRCJqQG8LHiMcJW0CAJqNcFRjJqY 15tVZYCxlylhnuATLFarehBNGE lc6df67YTHK3Vq+Ved9COltBlitFvj0fB0wk5nnGodUqNFuFSw +elAZNygMRrUqLQgUyDzm1Facs rchekenvsIaKrVaLEl8KWqUdMxifXoCIykC9mFxiGWe8HCazwv G1ZYwAt9drJA1nCOOmBiUiYas1 blfua300uAmUgG1D3cYZ8ogmCKIsMpJQjzkylNupUmvw9RpbYN +7CiwRnwalLaZfL5BdNBiRB65q zAaxtyb1RG1XsygUDd0CJnOc0Ck9zEGlZfMMhaoCgoHNXR0EWS vb3CMTlcKW9UKrWprG2Ahk0JBF l1sesVxag1l1UAony1gE2DyYOPRBw4M7CCm6MtDtQHcX9tqw14 FOp43ffejs7EOvtwud3g75wXlg SiaVDtasBqmDMtAI/AXLfClmfuk3VxJhY7I1Kmdl4ZfMlFUW2JKYe7tZWnI3kpyAEd5 lJiyhRdyM pOhubrwq/jK3bicdn9+asIMy1hf0oASA4SnDCnHH1QY0XjbhRSRxRlHzzMi c1QFNEquVXBF/rcap iCdn9XudasQ2wwBfwgsWbJSchlQoDLGKwixzUTWxq/MzoaRQnPhVlCigjCIF3UjKdEp+Mk7zuUx/ yoIrbl82X7hcvqxCNhpeI3omJdzGWt/u9XbQ1u1ut1Ki7xKPLbjBTmoTJy9JQ6y6MSNp7Em6axQ+ +POAp5YYRU663cIEVpFXs6+oYySw2XAksNKeuJ72PPQ2cX1HQB VNu50mbJarWVKtXqsY2fW3O+cV wTZfI9Iqyk63clwoOU4saTxUB0VxtBCjTBV4ga+J1LNVNzkPLS Pm1/2EQyYmjZvIYTMnjx18HOO4 McWzz+o5dy2GA4SO1xnHrkGK6iBP0KdrUM993FHJhdu8xHmLT0 7Jr+iFIVROQp5yFRJZMfLJZXFw 04xWHBmNnpHLTg9PcoyTNgY6SajgM7qWkMGK7hsnAbleCuMGq0 seDdvrdax1yjO5WnMAc2C1lniv gxYdIe+xJD10f7A0NH0kbIpyq+PiOnlDmrArvinDyYPSatIWFx uS4AmJMvRVAbjgc5aFprmZ/Ffc 7zBheqmkZuH1YQGRu4RWlRuhTpzxaNCgFw1z4Ps37nA+sgcbPP M/wpKFg93dnd6dfQd3nuk8fYay u3u9/btORNeOwSxDhvHG8Hs22PdH5fXuHL/uvQRfU+iFqV77Pw== ------=_NextPart_000_000C_01C4895D.5CDC93E0-- ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
