[Snort-sigs] Worm Signatures

Jason Haar Jason.Haar at ...651...
Tue Apr 6 16:39:11 EDT 2004

On Wed, 2004-04-07 at 08:30, Matt Kettler wrote:
>   With free tools like clamav available it's cheap and easy to get virus 
> scanning right and do it at the MTA layer. Once the message is spooled onto 
> a mailserver an AV scanner can take it's time and unpack zipfiles, compare 
> against thousands of signatures, look across wide spans of the data, etc. 
> This kind of analysis is not realistically possible within snort. Snort is 
> a real-time analysis system, snort can't stop and spend hundreds of 
> milliseconds decompressing data to do analysis, as it will miss other 
> packets going by while it does so. A MTA is a queued system, and small 
> delays don't cause loss of protection, just slower delivery, and a few 
> hundred milliseconds won't be significant compared to the overall time a 
> typical end-to-end mail transfer takes.

Great description there Matt, but there's one key feature that Snort has
over most SMTP AV systems: it reports the client IP address...

Very few commercial AVs report the IP address the virus came from, so
you are left with quite a manual job to hunt it down (Qmail-Scanner is
an exception! ;-). Snort obviously hands that out, so when it sees a
virus on the network, you immediately know where it came from.

End of the day, it's always the same: defense in depth


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list