[Snort-sigs] virus.rules

Joe McAlerney joey at ...80...
Mon Sep 24 14:18:01 EDT 2001

Brian wrote:
> According to Stian Elde:
> > These days, I would love to have a updated virus.rules-file for snort :)
> Why?  Almost ALL of the virus rules are based on filenames sent via
> email.  Its about as cool as port based signatures.  Frankly, you
> shouldn't really give a crud.  If your security architecture is built
> correctly, then you should not need to enable these signatures anyway.

I find them very useful, and not prone to many false positives.  This is
almost always the case with the rules containing "filename=" content
strings, as well as the file name, or virus content.  While browsing
through the daily alerts, it's nice to be able to watch for incoming
viri that makes it through and let the infected party know what they are
sending and how to remove it.  Often is the case that those receiving a
virus will just delete it (as they should), and not contact the person
who sent it.

I have heard about the successes of using flexible response for stopping
Code Red.  It may be worthwhile to try the same with the rest of the
virus rules.  Of course, this is not a substitute for antivirus software
for the obvious reasons, but it would certainly add another level of

2 cents,

-Joe M.

|   Joe McAlerney     joey at ...79...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

More information about the Snort-sigs mailing list