Re: Who doesn't care about virus rules, and why?

[kenw () kmsi net]

On Thu, 6 Nov 2003 09:01:15 -0600, "Schmehl, Paul L" <pauls () utdallas edu>
wrote:

> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net 
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> > kenw () kmsi net
> > Sent: Wednesday, November 05, 2003 9:45 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Who doesn't care about virus rules, and why?
> >
> > The header of virus.rules says:
> >
> > > # NOTE: These rules are NOT being actively maintained.
> > <snip>
> > > # These rules are going away.  We don't care about virus 
> > rules anymore.
> >
> > Who are "we", and what makes them think these rules aren't important?
> It's not that they aren't important.  It's that no one seems to want to

The quote was "We don't care about virus rules anymore."   Seems fairly
clear.

> maintain them.  Doing so requires a great deal of work, and there *are*
> other, better methods of doing virus detection on a network.

Care to name one that actually gives the IP address of the source of the
attack?  None that I'm familiar with do.

> However, it might make sense to maintain a smaller collection of the
> network aware worms, such as Bugbear (which is what is most likely
> driving your customer's printers crazy), Funlove, Qaz, Lovgate, Sobig,
> et. al.  The problem is finding someone to do that.  I'd volunteer, but
> it's really hard for me to get samples (because of the protections we
> have in place), and I really don't have the time to set up a private
> network, infect a goat and capture its traffic so the signatures can be
> done right.

Neither do I.  But I've already effectively volunteered to collect and
redistribute contributions from others as time permits, and in the format
of my own choosing.  That's a whole lot better that doing nothing because
we can't do it all.

For a lot of computer geeks, we sure seem to have a problem with the
concept of optimization sometimes...

> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 

/kenw

Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw () kmsi net
www.kmsi.net


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users