It's just a matter of how much traffic you deal with, i suppose you can write a netfilter handle which puts connection(yes, conntrack) data to userspace, which thereby can be handled by any av scanner(clamd for example). But beware, you have to be watching tons of simultaneous data streams on the fly, which is requiring lots of computing power. If you've got like 50 users, a normal decent machine would be able to handle the task, but if it's a matter of 200mbit/s flowing around the interfaces - just forget it. The shit about connection scanning is you have to reassemble the connecting before being able to scan anything. It's true decent AV scanning is about codestamping and baesian/heuristics, but av scanner are not built to work on tcp streams yet. A single dirty hack is to set all stream data into a socket and open it as a filehandle , but that would be TOO SLOW.
A simple answer to the question of yours is - NO, there's just no solution , which you can apt-get install networkavscanner and let it work.
P.S. promiscious mode is not the right thing here, the data should actually FLOW through the so call AV scanner. Promiscious will do the trick if your network is built out of hubs entirely.
|