Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Viirus rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 02 Feb 2004 11:35:08 -0500
At 04:01 AM 2/2/2004, Michael.Mulholland () dfpni gov uk wrote:

I'm using the IDS Policy Manager to download new rules and push them out to
a number of sensors but the virus set has a note claiming these rules are
not actively updated.

I'm relatively new to Snort so i'm not sure how i should keep my signatures
up-to-date with the large number of virus and other such attacks out there

Do i need to write my own signatures - if so where do i find the details on
what content to scan for?

many thanks to anyone who takes the time to read this and more so to those
who reply
The virus rules are updated. However there's no official maintainer that actively spends his/her time working on the ruleset so updates are irregular and not comprehensive.
To be honest with you, all of the virus rules for snort look for a virus coming in over SMTP email. There's very little reason to use snort to do virus scanning of emails.
There are free tools out there that do this job significantly better. Snort isn't designed to do the work of a virus scanner, it's an IDS.. Let clamav (open source), sophos, norton, or whatever scanner you want take care of your viruses on a "up-to-date" basis. Take clamav, tack on amavis, mailscanner or some other mail-integration tool and you've got free virus scanning at the MTA level.
Since there are free tools that do virus scanning very well, snort's limited developer resources are better spent on network attack signatures, and not email worm signatures. Not that virus sigs are useless in snort, but there are by far more important things to cover.
However, should you choose to write virus signatures, I'm sure that some people would appreciate it if you posted them on snort-sigs. 

Just my 2c on the matter..



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: