[Oisf-users] Suricata and clamav ? and/or Squidclamav ?

Rich Rumble richrumble at gmail.com
Tue Mar 11 12:31:23 UTC 2014


On Tue, Mar 11, 2014 at 7:17 AM, Olivier - <gnaap at hotmail.fr> wrote:

> Hi all,
> Suricata i s a great IDS and I use it as an IPS.
> I have some questions (perhaps stupid questions :) ) :
>
> First question :
> - is there any real interest to run both suricata and squidclamav/clamav ?
>
I'm sure everyone would be interested in something like this, using ICAP or
a Socket that an AV vendor can scan files. I believe there is a script that
is less real-time than that, that is using VirusTotal to look for the
hashes of already scanned files in VT's database. Suricata carves them out
to disk, the script comes along and checks the MD5's against VT, thus
possibly using 30+ AV's at once!
It's been in Suri since 1.3
https://github.com/inliniac/suricata/blob/master/contrib/file_processor/README
I've not tested it however, but it would be nice to have something a bit
more-real-time, however I think the VT scripts would be very helpful in the
mean time until this Feature Request became more of a priority.
You should make a formal Feature Request, make sure someone hasn't already
done so.
https://redmine.openinfosecfoundation.org/projects/suricata/issues?set_filter=1&tracker_id=2

-rich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140311/be8e5c81/attachment-0002.html>


More information about the Oisf-users mailing list