[Oisf-users] suricata and ClamAV

[Cooper F. Nelson]

ClamAV will check inside archive files (like .tar), a simple checksum
will not.

I don't know how much traffic you see, but you could always just extract
everything and then scan it with ClamAV, either via cron or incron.  
Here's how you enable that:

>   - file-store:
>       enabled: yes       # set to yes to enable
>       log-dir: files    # directory to store the files
>       force-magic: no   # force logging magic on all stored files
>       # force logging of checksums, available hash functions are md5,
>       # sha1 and sha256
>       #force-hash: [md5]
>       force-filestore: yes # force storing of all files

What I would do is make the 'files' a tmpfs partition and then scan
every file older than one minute via a cron job.  This is so you don't
scan partially downloaded files.  Then have clamAV move infected files
and their associated metadata to a disk archive for storage.

-Coop

On 7/12/2017 5:58 AM, Srinivasreddy R wrote:
> Hi all,
>
> I have downloaded clamAV database and converted to md5 hash database .
> Added rule in suricata to scan md5 hash DB for threats.
>
> i have downloaded a tar file having threat .ClamAV is able to detect
> the threat in the tar file but suricata is not identifying .
> Please suggest .
>
> Ref Link:
> https://samiux.blogspot.in/2015/10/howto-clamav-for-suricata.html
> http://old.honeynet.org/scans/scan19/scan19.tar.gz
>
> Thanks
> srinivas


-- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170712/9921feae/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170712/9921feae/attachment-0002.sig>