Project

General

Profile

Actions
Copy link

Bug #458

closed

ClamAV fires on Suricata binary if unittests are enabled

Added by Victor Julien over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Anoop Saldanha
Target version:
1.3beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

It appears that some of the unittests use metasploit payloads which are detected by ClamAV:

src/app-layer-dcerpc.o: Exploit.Fnstenv_mov-1 FOUND
src/detect-engine-dcepayload.o: Exploit.Fnstenv_mov-1 FOUND

Disabling unittests resolves the issue.

Please rewrite or remove the affected unittests.

Files

0001-bug-458-unittest-that-uses-clamav-FPing-payload-disa.patch (1.04 KB) 0001-bug-458-unittest-that-uses-clamav-FPing-payload-disa.patch Anoop Saldanha, 06/07/2012 03:27 PM
Actions
Copy link
 #1

Updated by Victor Julien over 12 years ago

  • Priority changed from Normal to High
Actions
Copy link
 #2

Updated by Anoop Saldanha over 12 years ago

patch attached. Disabled the unittest for now. Needs to be rewritten though.

Actions
Copy link
 #3

Updated by Victor Julien over 12 years ago

After applying, one remains:

$ clamscan *o -i
detect-engine-dcepayload.o: Exploit.Fnstenv_mov-1 FOUND

Actions
Copy link
 #4

Updated by Victor Julien over 12 years ago

  • Status changed from Assigned to Closed

Disabled the remaining tests causing this issue.

Actions
Copy link

Also available in: Atom PDF