SnortClamAV

This preprocessor will scan the data in the packets for viruses. See README.clamav for details and limitations.

http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/?&cvsroot=snort-clamav

Available options (comma delimited):

ports: a space delimited list of ports that will be scanned.

all: all ports

n : single port to be scanned

n : not scan port n (to be used with 'all'

toclientonly: scan only the traffic to the client (tcp only)

toserveronly: scan only the traffic to the server (tcp only)

action-drop : drop the infected packet (snort_inline only)

action-reset: reset the connection (snort_inline only)

dbdir: path to the clamav definitions directory.

dbreload-time: time in seconds to refresh the read of the AV signatures

file-descriptor-mode: writes packetbuffer to a temp file for scanning we

suggest you use tmpfs for this Experimental

descriptor-temp-dir: used only in conjunction with file-descriptor-mode

sets the directory where we write the packet buffer for scanning of

viri. Defaults to /tmp once again MOUNT a tmpfs file system as not to kill performance.

Example: preprocessor clamav: ports all 22 443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode

This project is maintained by William Metcalf and Victor Julien.

-- MattJonkman - 20 Mar 2007