[Snort-sigs] virus.rules

Chris Green cmg at ...26...
Mon Sep 24 19:05:02 EDT 2001

Joe McAlerney <joey at ...80...> writes:

> I have heard about the successes of using flexible response for stopping
> Code Red.  It may be worthwhile to try the same with the rest of the
> virus rules.  Of course, this is not a substitute for antivirus software
> for the obvious reasons, but it would certainly add another level of
> protection.

All but 3 of the virus rules seem to be triggered on pop-3 sessions
which you're just going to annoy some remote user trying to pop their
mail if you flexresp it.

Same goes for the ones that are a mail server, they'll just try, try
again thinking this machine is on a downtrodden portion of the
Chris Green <cmg at ...26...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-sigs mailing list