Jason Haar wrote:
Eric Scopinho wrote:
But if I do that, some side effects could happen like:
- I'll need free space to store the file.
- The infected packets may get in while I store the next packets to scan.
- I have to download the whole file before send it to the end-user.
How else could you catch a virus whose signature happens to cross packet
boundaries?
I assume you are talking about snort-inline plus the ClamAV
preprocessor? As such you should be asking them. To be honest this isn't
a problem the ClamAV people can help you with - it's not their fault
your viruses don't arrive in nice 1500 byte chunks ;-)
However, I think you'll be out of luck. The only "network virus
scanners" I know of are big beasts - because they effectively have to
inline translate packets back to specific protocols (such as SMB/CIFS),
pull the data content out, then run real AV over the fully formed files
(or at least some largish data window). How they do that inline and
manage to drop the session (i.e. killing the virus download) is a bit
beyond me - I guess they rely on a RSET on the last packet being enough
to cause the entire transfer to fail?
Yes, I'm talking about sth like snort-inline+Clamav, but the problem
with that is exactly the problem with zip files. I understand what you
said and I was just wondering if maybe there was someway to create
signatures for this kind of situation. That's way I wrote to this list.
Maybe your last comments should be a good direction to follow. Thanks.
E.S
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
