This preprocessor will scan the data in the packets for viruses. See README.clamav for details and limitations.
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/?&cvsroot=snort-clamav
Available options (comma delimited):
ports: a space delimited list of ports that will be scanned.
all: all ports
n : single port to be scanned
n : not scan port n (to be used with 'all'
toclientonly: scan only the traffic to the client (tcp only)
toserveronly: scan only the traffic to the server (tcp only)
action-drop : drop the infected packet (snort_inline only)
action-reset: reset the connection (snort_inline only)
dbdir: path to the clamav definitions directory.
dbreload-time: time in seconds to refresh the read of the AV signatures
file-descriptor-mode: writes packetbuffer to a temp file for scanning we
suggest you use tmpfs for this
Experimental
descriptor-temp-dir: used only in conjunction with file-descriptor-mode
sets the directory where we write the packet buffer for scanning of
viri. Defaults to /tmp once again MOUNT a tmpfs file system as not to kill performance.
Example: preprocessor clamav: ports all 22 443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200, file-descriptor-mode
This project is maintained by William Metcalf and Victor Julien.
--
MattJonkman - 20 Mar 2007