Snort mailing list archives

Who doesn't care about virus rules, and why?

From: kenw () kmsi net
Date: Wed, 05 Nov 2003 20:45:02 -0700

The header of virus.rules says:

# NOTE: These rules are NOT being actively maintained.

<snip>

# These rules are going away.  We don't care about virus rules anymore.


Who are "we", and what makes them think these rules aren't important?

Granted, virus detection probably doesn't fit well into the usual IDS
paradigm.   But snort-based virus detection fits very well into some
requirements I have, occasionally -- like, now.

I support many small business sites.  Sometimes I get called in because a
site has been poorly protected and needs cleaning up.  It's one thing to
look after a clean site with well-maintained AV protection; it's quite
another to inherit a mess, and have to straighten it out.

Most of the popular viruses these days are heavy on the network traffic.
One thing that can really help is a network-based detector that can quickly
identify sources of infection.  Another is a way to tell whether I really
have things cleaned up when I think I do.

For example, I have a site that seems to be reporting the occasional
infected temporary print spool file.  My AV software reports them, but
gives no clue where they might have come from.  Snort should be able to
make short work of finding the source.

So, at the moment, I'm collecting all the virus.rules I can find.  And I
fully plan to post the result here.  I have neither the time nor the
inclination to do anything more formal, but I can contribute that much.

If anybody has collections they want to share, I'm interested.  

And if anybody wants to dispute my point of view, well, I'm all ears:
enlighten me.

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw () kmsi net
www.kmsi.net


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log all traffic? nick travis (Nov 05)
- Re: Log all traffic? Mark Nipper (Nov 05)
  - Re: Log all traffic? Matt Kettler (Nov 05)
    - Re: Log all traffic? jon baer (Nov 05)
    - Re: Log all traffic? Sp0oKeR Labs (Nov 06)
- Re: Log all traffic? Matt Kettler (Nov 05)
- Who doesn't care about virus rules, and why? kenw (Nov 05)
- <Possible follow-ups>
- Re: Log all traffic? Mark . Schutzmann (Nov 05)