Re: Signatures

[Michael Boman <michael.boman () securecirt com>]

On Thu, 2003-06-05 at 15:59, Vuppala, Vijaybhasker (EM, GECIS) wrote:
> Hi..
>
> I'm new to snort community, forgive me if i ask any silly questions.
>
> I just wanted to check, at what frequency SNORT signatures are updated and
> how soon a signature would be available for the new virus attacks.  

Virus rules are very seldom updated, because the generally you should
use the right tool for the job (in this case a virus scanner). Even if
you could detect the viruses, what would you do about them? Reset/block
the communication? The email server tries to send it again, or the email
client can't access the other mails..

Also, virus rules would need to contain a fair bit of content matching,
and that is something signature based IDS tries to avoid as much as
possible as it is a very expensive (resource vise) operation to do
content matching.

Also, with all the new viruses coming out every day no-one has the time
(apparently) to take the job as virus.rules maintainer.

But when it comes to exploits it's pretty quickly, but time depends on
how easy it is to fingerprinting the attack (preferably the attack and
not the tool).

However, I have no examples right now to prove my point, but the header
of virus.rules gives you an idea:

# $Id: virus.rules,v 1.18 2003/05/30 19:36:14 cazz Exp $
<snip>
# NOTE: These rules are NOT being actively maintained.
<snip>
# These rules are going away.  We don't care about virus rules anymore.


Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

Attachment: signature.asc
Description: This is a digitally signed message part