[Oisf-users] suricata and ClamAV

Srinivasreddy R srinivasreddy4390 at gmail.com
Wed Jul 12 18:11:57 UTC 2017

Thank you for your response .
I have done the use case you mentioned .saving all the files passed through
suricata and scanning them with clamav for threats .
Now i am interested in extracting the md5 hash database from ClamAV Virus
Database (main.cvd),
configuring rule in suricata to calculate md5 hash of the files transferred
and search in md5 hash DB for threats .

same way as mentioned in the below link :

But it is not working for me .
I have calculated the md5 hash of the threat file and searched in md5 hash
DB .Hash is not present in  DB.
If i use clamAV for scanning the file threat is identified .


On Wed, Jul 12, 2017 at 11:08 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> ClamAV will check inside archive files (like .tar), a simple checksum will
> not.
> I don't know how much traffic you see, but you could always just extract
> everything and then scan it with ClamAV, either via cron or incron.
> Here's how you enable that:
>   - file-store:
>       enabled: yes       # set to yes to enable
>       log-dir: files    # directory to store the files
>       force-magic: no   # force logging magic on all stored files
>       # force logging of checksums, available hash functions are md5,
>       # sha1 and sha256
>       #force-hash: [md5]
>       force-filestore: yes # force storing of all files
> What I would do is make the 'files' a tmpfs partition and then scan every
> file older than one minute via a cron job.  This is so you don't scan
> partially downloaded files.  Then have clamAV move infected files and their
> associated metadata to a disk archive for storage.
> -Coop
> On 7/12/2017 5:58 AM, Srinivasreddy R wrote:
> Hi all,
> I have downloaded clamAV database and converted to md5 hash database .
> Added rule in suricata to scan md5 hash DB for threats.
> i have downloaded a tar file having threat .ClamAV is able to detect the
> threat in the tar file but suricata is not identifying .
> Please suggest .
> Ref Link:
> https://samiux.blogspot.in/2015/10/howto-clamav-for-suricata.html
> http://old.honeynet.org/scans/scan19/scan19.tar.gz
> Thanks
> srinivas
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Teamcnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170712/f3340f9b/attachment-0002.html>

More information about the Oisf-users mailing list