<div dir="ltr"><div><div><div>Thank you for your response .<br></div>I have done the use case you mentioned .saving all the files passed through suricata and scanning them with clamav for threats .<br></div>Now i am interested in extracting the md5 hash database from ClamAV Virus Database (main.cvd),<br>configuring rule in suricata to calculate md5 hash of the files transferred and search in md5 hash DB for threats .<br><br></div>same way as mentioned in the below link :<br><a href="https://samiux.blogspot.in/2015/10/howto-clamav-for-suricata.html" target="_blank">https://samiux.blogspot.in/<wbr>2015/10/howto-clamav-for-<wbr>suricata.html</a><div><br></div><div>But it is not working for me .<br></div><div>I have calculated the md5 hash of the threat file and searched in md5 hash DB .Hash is not present in DB.<br></div><div>If i use clamAV for scanning the file threat is identified . <br></div><div><br></div><div>thanks<br></div><div>srinivas<br></div><div><br><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 12, 2017 at 11:08 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_-6635613805039065747moz-cite-prefix">ClamAV will check inside archive files
(like .tar), a simple checksum will not.<br>
<br>
I don't know how much traffic you see, but you could always just
extract everything and then scan it with ClamAV, either via cron
or incron. Here's how you enable that:<br>
<br>
<blockquote type="cite"> - file-store:<br>
enabled: yes # set to yes to enable<br>
log-dir: files # directory to store the files<br>
force-magic: no # force logging magic on all stored
files<br>
# force logging of checksums, available hash functions are
md5,<br>
# sha1 and sha256<br>
#force-hash: [md5]<br>
force-filestore: yes # force storing of all files<br>
</blockquote>
<br>
What I would do is make the 'files' a tmpfs partition and then
scan every file older than one minute via a cron job. This is so
you don't scan partially downloaded files. Then have clamAV move
infected files and their associated metadata to a disk archive for
storage. <br>
<br>
-Coop<span class="gmail-"><br>
<br>
On 7/12/2017 5:58 AM, Srinivasreddy R wrote:<br>
</span></div><span class="gmail-">
<blockquote type="cite">
<div>Hi all,<br>
<br>
I have downloaded clamAV database and converted to md5 hash
database .<br>
</div>
Added rule in suricata to scan md5 hash DB for threats.<br>
<div><br>
i have downloaded a tar file having threat .ClamAV is able to
detect the threat in the tar file but suricata is not
identifying .<br>
</div>
<div>Please suggest .<br>
<div><br>
Ref Link:<br>
<a href="https://samiux.blogspot.in/2015/10/howto-clamav-for-suricata.html" target="_blank">https://samiux.blogspot.in/<wbr>2015/10/howto-clamav-for-<wbr>suricata.html</a><br>
<div class="gmail_extra"><a href="http://old.honeynet.org/scans/scan19/scan19.tar.gz" target="_blank">http://old.honeynet.org/scans/<wbr>scan19/scan19.tar.gz</a><br>
<br>
Thanks<br>
</div>
<div class="gmail_extra">srinivas</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</span><span class="gmail-"><pre class="gmail-m_-6635613805039065747moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
<a class="gmail-m_-6635613805039065747moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042</pre>
</span></div>
</blockquote></div><br></div></div></div></div></div></div>