Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Virus rule fp

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Jan 2005 18:06:41 -0500
At 02:01 PM 1/18/2005, Geffrey Velásquez [Minag] wrote:
Hi friends, I have many fps whit the rule SID:721 VIRUS OUTBOUND bad file attachment, that's because the .ppt files are detected as Virus. Please how could be modified this rule? 



alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file
attachment"; flow:to_server,established; content:"Content-Disposition|3A|";
nocase;
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; 
classtype:suspicious-filename-detect; sid:721; rev:8;)
The rule isn't intended to detect viruses... it's intended to detect attachments which *COULD* contain viruses.
Quite frankly, the rule is largely useless, and for the most part virus rules in snort aren't very useful. Their purpose is at best to add a single rule for the current "virus storm" and use flexresp. And all this does is lighten the load on your mailservers. Any other use isn't very useful since snort isn't going to be able to detect mail viruses reliably.. There are too many possible encodings to try to do real-time packet scanning looking for viruses.
If you want an open-source mail scanning solution, use clamav and something like amavis or mailscanner on your inbound and outbound mailservers. You'll be infinitely more accurate than anything snort based can hope to be.. 





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: