[Snort-sigs] virus.rules

Brian bmc at ...95...
Sun Sep 23 01:00:02 EDT 2001


According to Stian Elde:
> These days, I would love to have a updated virus.rules-file for snort :)

Why?  Almost ALL of the virus rules are based on filenames sent via
email.  Its about as cool as port based signatures.  Frankly, you 
shouldn't really give a crud.  If your security architecture is built 
correctly, then you should not need to enable these signatures anyway.

Mail servers have filtering rules.  Use them.  Virus scanning software
has virus signatures that detect more than just a filename.  Use them too.  

If someone wanted to write signatures for actual content of various
virus payloads I would be glad to include them.  I'm sure lots of
other people would be happy to see them as well.

Until then, I hear sophos is pretty nice.

-brian




More information about the Snort-sigs mailing list