![snort logo](/images/snort-logo.png)
Snort mailing list archives
Who doesn't care about virus rules, and why?
From: kenw () kmsi net
Date: Wed, 05 Nov 2003 20:45:02 -0700
The header of virus.rules says:
# NOTE: These rules are NOT being actively maintained.
<snip>
# These rules are going away. We don't care about virus rules anymore.
Who are "we", and what makes them think these rules aren't important? Granted, virus detection probably doesn't fit well into the usual IDS paradigm. But snort-based virus detection fits very well into some requirements I have, occasionally -- like, now. I support many small business sites. Sometimes I get called in because a site has been poorly protected and needs cleaning up. It's one thing to look after a clean site with well-maintained AV protection; it's quite another to inherit a mess, and have to straighten it out. Most of the popular viruses these days are heavy on the network traffic. One thing that can really help is a network-based detector that can quickly identify sources of infection. Another is a way to tell whether I really have things cleaned up when I think I do. For example, I have a site that seems to be reporting the occasional infected temporary print spool file. My AV software reports them, but gives no clue where they might have come from. Snort should be able to make short work of finding the source. So, at the moment, I'm collecting all the virus.rules I can find. And I fully plan to post the result here. I have neither the time nor the inclination to do anything more formal, but I can contribute that much. If anybody has collections they want to share, I'm interested. And if anybody wants to dispute my point of view, well, I'm all ears: enlighten me. /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw () kmsi net www.kmsi.net ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log all traffic? nick travis (Nov 05)
- Re: Log all traffic? Mark Nipper (Nov 05)
- Re: Log all traffic? Matt Kettler (Nov 05)
- Re: Log all traffic? jon baer (Nov 05)
- Re: Log all traffic? Sp0oKeR Labs (Nov 06)
- Re: Log all traffic? Matt Kettler (Nov 05)
- Re: Log all traffic? Matt Kettler (Nov 05)
- Who doesn't care about virus rules, and why? kenw (Nov 05)
- <Possible follow-ups>
- Re: Log all traffic? Mark . Schutzmann (Nov 05)
- Re: Log all traffic? Mark Nipper (Nov 05)