Snort mailing list archives
Re: Who doesn't care about virus rules, and why?
From: kenw () kmsi net
Date: Thu, 06 Nov 2003 08:35:23 -0700
On Thu, 6 Nov 2003 09:01:15 -0600, "Schmehl, Paul L" <pauls () utdallas edu> wrote:
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of kenw () kmsi net Sent: Wednesday, November 05, 2003 9:45 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Who doesn't care about virus rules, and why? The header of virus.rules says:# NOTE: These rules are NOT being actively maintained.<snip># These rules are going away. We don't care about virusrules anymore. Who are "we", and what makes them think these rules aren't important?It's not that they aren't important. It's that no one seems to want to
The quote was "We don't care about virus rules anymore." Seems fairly clear.
maintain them. Doing so requires a great deal of work, and there *are* other, better methods of doing virus detection on a network.
Care to name one that actually gives the IP address of the source of the attack? None that I'm familiar with do.
However, it might make sense to maintain a smaller collection of the network aware worms, such as Bugbear (which is what is most likely driving your customer's printers crazy), Funlove, Qaz, Lovgate, Sobig, et. al. The problem is finding someone to do that. I'd volunteer, but it's really hard for me to get samples (because of the protections we have in place), and I really don't have the time to set up a private network, infect a goat and capture its traffic so the signatures can be done right.
Neither do I. But I've already effectively volunteered to collect and redistribute contributions from others as time permits, and in the format of my own choosing. That's a whole lot better that doing nothing because we can't do it all. For a lot of computer geeks, we sure seem to have a problem with the concept of optimization sometimes...
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
/kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw () kmsi net www.kmsi.net ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)
- Re: Who doesn't care about virus rules, and why? Snortty (Nov 06)
- RE: Who doesn't care about virus rules, and why? Jason Haar (Nov 06)
- <Possible follow-ups>
- RE: Who doesn't care about virus rules, and why? Schmehl, Paul L (Nov 06)
- Re: Who doesn't care about virus rules, and why? kenw (Nov 06)
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)