[Snort-sigs] virus.rules

Jim Forster jforster at ...11...
Mon Sep 24 19:24:02 EDT 2001


Agreed, but I have saved many a headache by being able to add a sig
"on-the-fly" (not flexresp) to detect the garbage coming in, and warn the
end users of what 'not to open'.  It seems no matter how many times "do
not open attachments" is repeated, someone just has to try "just this
one".  :)  Well, that and some of the vendors are a bit slow to
update..  I run the rules on my client boxes...  Banks don't find it
amusing to learn their systems are mailing out internal docs.
(The A/V software they had was more than lacking in updates)
P.S. - Flex does some really cool stuff to the AVX proxy.  heh

Jim Forster
Network Administrator
RapidNet, A Golden West Company


On Mon, 24 Sep 2001, Chris Green wrote:

> Joe McAlerney <joey at ...80...> writes:
> 
> > I have heard about the successes of using flexible response for stopping
> > Code Red.  It may be worthwhile to try the same with the rest of the
> > virus rules.  Of course, this is not a substitute for antivirus software
> > for the obvious reasons, but it would certainly add another level of
> > protection.
> 
> All but 3 of the virus rules seem to be triggered on pop-3 sessions
> which you're just going to annoy some remote user trying to pop their
> mail if you flexresp it.
> 
> Same goes for the ones that are a mail server, they'll just try, try
> again thinking this machine is on a downtrodden portion of the
> internet.
> --
> Chris Green <cmg at ...26...>
> This is my signature. There are many like it but this one is mine.
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list