Snort_inline (Snort + ClamAV) for filtering viruses (now 125$)



  • Hi @ll

    Which one of you would like to do the job?  ;)
    The goal is that there is a package for filtering viruses with snort, I read that ClamAV could do the job an there is already somthing
    out there with snort which could be found here. http://snort-inline.sourceforge.net/
    any feedback is welcome
    regards
    Andreas



  • Can you please give a pledge for this?



  • Yeah, you really need to provide a dollar value and a very detailed specification for exactly what you're looking for in order to get serious attention to your bounty.



  • I was doing some research on integrating ClamAV into the firewall as well and it doesn't appear that snort-inline supports pf.  Only netfilter and ipfw.



  • It can be done but first i want to know the pledge.



  • Hi @ll

    The idea behind this is that there is a way to filter out viruses, I know that there out some firewalls which can do that for example the products from Juniper.
    I'm a private person and cannot make a big bounty… how about 25$
    The goal is that there is a package for everyone in pfsense which can do the job.
    If you have more question just ask
    regards
    Andreas



  • As for me for now with this pledge i cannot dedicate much work to it since it requires kernel changes.
    If others jump in i might reconsider that.

    Ermal



  • pfSense.org will add 50$ to this bounty.



  • I will pledge $25.00

    Please e-mail me daniel.watsonbros at gmail dot com to collect …



  • After doing some more research on other products this weekend, it appears some other products like Endian and Untangle leverage proxy servers to do antivirus scanning rather than attempting to scan all traffic with the IDS.

    Example, they integrate Clam with Squid for web scanning, or integrate clam with amavisd-new/postfix for SMTP scanning, etc…

    I did a lot of research on integrating it with Snort and I don't see any project out there that can do it.  There was a patch from a place called BleedingSnort, but that project died and I can't find the patch anywhere.



  • Hi @ll

    snort_inline was my first idea but when its no possible we have to find another way… there must be a way to integrate clamav when others can we can do it, we can  also do it;)
    I will double the bounty from my first post from 25$ to 50$, if all people agree.... so that will make a bounty of 125$



  • How far along was the old squid+clamav package that was available in the pre 1.0 days?  Perhaps someone could resurrect it.



  • Squid doesn't have a direct tie-in for using clamav, and requires the use of either an ICAP server or a redirector.  Using a redirector for this purpose is extremely inefficient because the redirector program would have to download each object, scan it, give a pass or no pass back to squid and then squid could have to download the same object(s), cache them and send them along to the user.  The use of an ICAP server is a much better solution, but there are no currently stable, open sourced ICAP servers for squid on FreeBSD specifically for doing AV scanning.



  • Currently we use separate linux boxes sitting inline just behind the firewall for running snort_inline with clamav (and other) preprocessors. For those who are interested, http://snortattack.org, http://www.openmaniak.com/inline_tutorial.php and http://www.inliniac.net will give you starting points how to do it by yourself.

    Be warned though, running things inline is almost certain way to bring your network down at some point. Snort might just crash or new rulesets downloaded contain errors that prevent snort from restarting correctly after update. We solved those by running monit to check the service status every minute and some dirty hand-writtens scripts that restore a previous ruleset if new one is broken and redo the update run later.

    After getting it to one piece and running we have had a zero virus infections in educational LAN with 100+ XP workstations (hundreds of drops so far on inline boxes).  Encrypted traffic can't ofcourse be scanned but http://www.emergingthreats.net/ put up a very quickly updated IP blocklist for known botnets and so on. Kudos for them!

    IMHO snort is PITA as it's not even multi-processor capable. Of course we could run many snort instances on different cores and assign just some ports & preprocessors per queque but that's bit complex and isn't easily adjustable to quickly changing traffic volumes per service. If anyone has written a decent script to do this on the fly I'd be more than interested!

    However, getting inline mode to pfsense would be a very nice addition. http://www.openbeer.it/?open=pq PQ project aims to do this for openbsd and thus it's probably portable but requires lots of work and kernel patches.



  • How many people are interested still consider this to be a useful feature to be implemented.



  • I will add $35

    I would love to see this addition!
    as long as it obeys our whitelist - i am happy :-)



  • Hi we are looking for am Firewall that regulates all the traffic for the internet. Now we are using Sonicwall products, but their scalability is very expensive. We add 100$ bounty for the implementation of a working antivirus solution in pfsense, as long is also working in coming versions.
    Thanks for the good work.

    Vortex



  • I'll throw in $35.

    Andy



  • For what I'm reading from all replies the bounty should be now $295 but thread title still point to $125 … any particular reason (eg: pledge needs to be payed after declaring it)?

    Is cmb still the escrow? I would like to add $50 but even after reading rules and guidelines I'm still unsure on how to proceed.

    Thanks



  • The OP needs to amend the title of the post…and I'll throw $50 into the foray as well.



  • I donate $100 for this feature.

    thanks!



  • Yeah, this bounty is a candidate for retirement if the interest isn't there.  It's been active for almost a year with no serious interest.



  • Snort always gave me problems so I stopped using it.

    So I am wondering if just getting clamav working be our best interest and later when snort's engine is matured enough that it can run with multi cores then we can revisit it?


Locked