[Snort-sigs] Worm signature question

Jason Haar Jason.Haar at ...651...
Sat Apr 3 01:46:04 EST 2004


> worms that spread through email do not. This would make sense since it
> is the anti-virus (on the mail server) responsibility to detect the
> email worms and a worm who is trying to propagte into your network from
> the Internet is no different than a hacker trying to break in (becoming
> Snorts resposibility to aler yout). I'm I correct in this assumption?

I don't think Snort (or other IDS) are given enough credit in the fight
against viruses. We use Snort extensively here to discover virus-infected
hosts internally. Not only can it discover hosts attempting to exploit
network vulnerabilities (such as the DCOM exploit), but looking for the
NetSky DNS server addresses triggers just as well.
It must be remembered that antivirus vendors may be pretty good at making
SMTP AV gateways that stop viruses - but they are almost all cr*p at
LOGGING WHERE THE DAMN THING CAME FROM!!!!! (I speak from personal
experience if you haven't noticed ;-)
All we need is a src IP address.... the sort of thing an IDS is only too
happy to give you...
Obviously the best solution is having both. We use (ahem) Qmail-Scanner
for AV (as it DOES log the offending IP address) and Snort to look for
viruses that do other forms of network scans.
Jason






More information about the Snort-sigs mailing list