Snort mailing list archives
Re: About virus.rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 17 May 2004 10:55:48 -0400
At 03:43 AM 5/17/2004, etienne.causse () pierre-fabre com wrote:
"# NOTE: These rules are NOT being actively maintained. # These rules are going away. We don't care about virus rules anymore." Although, I see that there are more rules than the only one listed in this file on snort.org. So my question is quite simple : why is there no support for virus rules any more ?
Simple answer: Because AFAIK nobody has volunteered to be the official maintainer of the rules.
There's also the matter that these rules look for viruses in SMTP or POP sessions. With the advent of free virus scanners and SMTP server virus scanning (ie: clamav), one can do this job MUCH better using other tools.
Since server-side scanners have the opportunity to examine the data in any way they choose, and can spend several seconds doing it, they can achieve much higher accuracy than snort can. They have the time to look for thousands of signatures, and these signatures can be multi-part spanning the entire file.
Snort can only spend a very limited time examining the data (less than a millisecond), and the occurrence of examining more than 3k at a time is almost nonexistent, even with stream4. Since snort's timeframe is short, the number of signatures that can be loaded without missing packets is going to be a few hundred at most, certainly much less than a AV tool can search for. Snort also lacks the time to do data decoding (ie: decoding base64, binhex, unzipping, etc) and is limited to examining the data as it will appear in-flight on the wire.
Now the snort virus rules aren't outright useless, using them with flexresp is a great way to reduce load on your SMTP server. However their window of usefulness is significantly diminished by other tools, hence the lowered urgency of maintenance.
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- About virus.rules etienne . causse (May 17)
- Message not available
- Re: About virus.rules Matt Kettler (May 17)
- Re: About virus.rules Michael Sconzo (May 17)
- Re: About virus.rules Frank Knobbe (May 17)
- Re: About virus.rules Michael Sconzo (May 17)
- Re: About virus.rules Frank Knobbe (May 17)
- Re: About virus.rules Jason Haar (May 17)
- Re: About virus.rules Matt Kettler (May 17)
- Message not available
- Re: About virus.rules kenw (May 29)
- Re: About virus.rules Nick Hatch (May 29)