[Snort-sigs] Worm Signatures

Matt Kettler mkettler at ...189...
Wed Apr 7 10:03:03 EDT 2004

At 07:38 PM 4/6/2004, Jason Haar wrote:

>Great description there Matt, but there's one key feature that Snort has
>over most SMTP AV systems: it reports the client IP address...

Most SMTP AV systems have this information, as you can always look at the 
Received: header your mailserver inserted in the infected message. Sure, 
it's nice to have it in a report, but looking at message headers is hardly 

>Very few commercial AVs report the IP address the virus came from, so
>you are left with quite a manual job to hunt it down (Qmail-Scanner is
>an exception! ;-).

Many "big company" commercial SMTP integrations quite frankly suck, but the 
same can be said of many "big company" commercial IDS products too.

MailScanner is another notable exception, but there are lots of other good 
AV integrations that actually work and provide useful reporting, even some 
commercial ones work well.

>Snort obviously hands that out, so when it sees a
>virus on the network, you immediately know where it came from.


>End of the day, it's always the same: defense in depth

True as well.

More information about the Snort-sigs mailing list