Snort_inline (Snort + ClamAV) for filtering viruses (now 125$)
-
Currently we use separate linux boxes sitting inline just behind the firewall for running snort_inline with clamav (and other) preprocessors. For those who are interested, http://snortattack.org, http://www.openmaniak.com/inline_tutorial.php and http://www.inliniac.net will give you starting points how to do it by yourself.
Be warned though, running things inline is almost certain way to bring your network down at some point. Snort might just crash or new rulesets downloaded contain errors that prevent snort from restarting correctly after update. We solved those by running monit to check the service status every minute and some dirty hand-writtens scripts that restore a previous ruleset if new one is broken and redo the update run later.
After getting it to one piece and running we have had a zero virus infections in educational LAN with 100+ XP workstations (hundreds of drops so far on inline boxes). Encrypted traffic can't ofcourse be scanned but http://www.emergingthreats.net/ put up a very quickly updated IP blocklist for known botnets and so on. Kudos for them!
IMHO snort is PITA as it's not even multi-processor capable. Of course we could run many snort instances on different cores and assign just some ports & preprocessors per queque but that's bit complex and isn't easily adjustable to quickly changing traffic volumes per service. If anyone has written a decent script to do this on the fly I'd be more than interested!
However, getting inline mode to pfsense would be a very nice addition. http://www.openbeer.it/?open=pq PQ project aims to do this for openbsd and thus it's probably portable but requires lots of work and kernel patches.
-
How many people are interested still consider this to be a useful feature to be implemented.
-
I will add $35
I would love to see this addition!
as long as it obeys our whitelist - i am happy :-) -
Hi we are looking for am Firewall that regulates all the traffic for the internet. Now we are using Sonicwall products, but their scalability is very expensive. We add 100$ bounty for the implementation of a working antivirus solution in pfsense, as long is also working in coming versions.
Thanks for the good work.Vortex
-
I'll throw in $35.
Andy
-
For what I'm reading from all replies the bounty should be now $295 but thread title still point to $125 … any particular reason (eg: pledge needs to be payed after declaring it)?
Is cmb still the escrow? I would like to add $50 but even after reading rules and guidelines I'm still unsure on how to proceed.
Thanks
-
The OP needs to amend the title of the post…and I'll throw $50 into the foray as well.
-
I donate $100 for this feature.
thanks!
-
Yeah, this bounty is a candidate for retirement if the interest isn't there. It's been active for almost a year with no serious interest.
-
Snort always gave me problems so I stopped using it.
So I am wondering if just getting clamav working be our best interest and later when snort's engine is matured enough that it can run with multi cores then we can revisit it?