bmc at ...95...
Sun Sep 23 01:00:02 EDT 2001
According to Stian Elde:
> These days, I would love to have a updated virus.rules-file for snort :)
Why? Almost ALL of the virus rules are based on filenames sent via
email. Its about as cool as port based signatures. Frankly, you
shouldn't really give a crud. If your security architecture is built
correctly, then you should not need to enable these signatures anyway.
Mail servers have filtering rules. Use them. Virus scanning software
has virus signatures that detect more than just a filename. Use them too.
If someone wanted to write signatures for actual content of various
virus payloads I would be glad to include them. I'm sure lots of
other people would be happy to see them as well.
Until then, I hear sophos is pretty nice.
More information about the Snort-sigs