[Snort-sigs] Worm Signatures
mkettler at ...189...
Wed Apr 7 10:03:03 EDT 2004
At 07:38 PM 4/6/2004, Jason Haar wrote:
>Great description there Matt, but there's one key feature that Snort has
>over most SMTP AV systems: it reports the client IP address...
Most SMTP AV systems have this information, as you can always look at the
Received: header your mailserver inserted in the infected message. Sure,
it's nice to have it in a report, but looking at message headers is hardly
>Very few commercial AVs report the IP address the virus came from, so
>you are left with quite a manual job to hunt it down (Qmail-Scanner is
>an exception! ;-).
Many "big company" commercial SMTP integrations quite frankly suck, but the
same can be said of many "big company" commercial IDS products too.
MailScanner is another notable exception, but there are lots of other good
AV integrations that actually work and provide useful reporting, even some
commercial ones work well.
>Snort obviously hands that out, so when it sees a
>virus on the network, you immediately know where it came from.
>End of the day, it's always the same: defense in depth
True as well.
More information about the Snort-sigs