Snort mailing list archives
Re: Signatures
From: Michael Boman <michael.boman () securecirt com>
Date: 05 Jun 2003 23:43:29 +0800
On Thu, 2003-06-05 at 15:59, Vuppala, Vijaybhasker (EM, GECIS) wrote:
Hi.. I'm new to snort community, forgive me if i ask any silly questions. I just wanted to check, at what frequency SNORT signatures are updated and how soon a signature would be available for the new virus attacks.
Virus rules are very seldom updated, because the generally you should use the right tool for the job (in this case a virus scanner). Even if you could detect the viruses, what would you do about them? Reset/block the communication? The email server tries to send it again, or the email client can't access the other mails.. Also, virus rules would need to contain a fair bit of content matching, and that is something signature based IDS tries to avoid as much as possible as it is a very expensive (resource vise) operation to do content matching. Also, with all the new viruses coming out every day no-one has the time (apparently) to take the job as virus.rules maintainer. But when it comes to exploits it's pretty quickly, but time depends on how easy it is to fingerprinting the attack (preferably the attack and not the tool). However, I have no examples right now to prove my point, but the header of virus.rules gives you an idea: # $Id: virus.rules,v 1.18 2003/05/30 19:36:14 cazz Exp $ <snip> # NOTE: These rules are NOT being actively maintained. <snip> # These rules are going away. We don't care about virus rules anymore. Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Signatures Vuppala, Vijaybhasker (EM, GECIS) (Jun 05)
- Re: Signatures Michael Boman (Jun 05)