Pf / network traffic scanning

  • Hello guys

    Are you aware of any related study to get an anti virus working on the network traffic ?

    I looked for that and snort-inline (1) match my desire, but it currently runs only with ipfw/iptables. I also think clamav (2) is THE tool to think about.
    It could be, for example, related to a pf rule ( checkbox "Scan this" ) or something like that in my hopes.
    Is someone studying on this ?

    I'll think of start a bounty ( 200/500 $ ) if i get positive ideas on this subject.



  • are you running embedded ot full install ?

    if full install, just have a look at packages and install snort !  ;D

  • Snort isn't an antivirus (it probably detects many worms, but that's not its purpose). If you want IDS with some IPS functionality, install the Snort package.

    If you want an inline full antivirus, start a bounty. Keep in mind that would require very fast hardware to do without adding a huge delay, and would still probably be a significant performance hit, if it would even be possible to accomplish.

  • there is a patch/diff file for snort for integrating with clamav:

    but you would probably require some extreme CPU power for this, and also higher latency for your throughput traffic

  • We don't run Snort in line currently, so it would only be able to detect a virus that was passed, if that would even work. The problem with detecting viruses in network traffic using standard AV definitions is the entire file isn't going to be in a single packet. So the system would have to understand what application is being used to transfer the file, keep the entire contents of the file on the firewall, and then scan once the transfer is finished. Obviously you can't block it at that point. I don't see any feasible way to have effective antivirus on any network device using standard AV definitions. It may sound like a good idea, but if you know what's actually involved in having effective AV protection, it really isn't feasible. At a minimum there would be huge gaps in coverage.

  • There are products (UTM is the name) that try to do AV in a firewall. They have a proxy; the proxy takes the whole file being downloaded; the file is scanned; if OK the file is sent on.

    Mostly users have most of the features in the UTM switced off  :-)

  • Yeah, UTM (Unified Threat Management) is the marketing term. Though you could just as easily call pfsense a UTM device, it has firewall, VPN, IDS/IPS, and some content filtering, and we're working to fill more of the check boxes that make a UTM device. Not because we think it's great (I still like to split out things a lot more than any UTM would with everything turned on), but because that's what people want.

Log in to reply