[Snort-sigs] Worm Signatures
Jason.Haar at ...651...
Tue Apr 6 16:39:11 EDT 2004
On Wed, 2004-04-07 at 08:30, Matt Kettler wrote:
> With free tools like clamav available it's cheap and easy to get virus
> scanning right and do it at the MTA layer. Once the message is spooled onto
> a mailserver an AV scanner can take it's time and unpack zipfiles, compare
> against thousands of signatures, look across wide spans of the data, etc.
> This kind of analysis is not realistically possible within snort. Snort is
> a real-time analysis system, snort can't stop and spend hundreds of
> milliseconds decompressing data to do analysis, as it will miss other
> packets going by while it does so. A MTA is a queued system, and small
> delays don't cause loss of protection, just slower delivery, and a few
> hundred milliseconds won't be significant compared to the overall time a
> typical end-to-end mail transfer takes.
Great description there Matt, but there's one key feature that Snort has
over most SMTP AV systems: it reports the client IP address...
Very few commercial AVs report the IP address the virus came from, so
you are left with quite a manual job to hunt it down (Qmail-Scanner is
an exception! ;-). Snort obviously hands that out, so when it sees a
virus on the network, you immediately know where it came from.
End of the day, it's always the same: defense in depth
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs