[Snort-sigs] Virus/Worms signatures ruleset

Jason Haar Jason.Haar at ...651...
Thu Jun 17 21:52:03 EDT 2004


On Thu, Jun 17, 2004 at 09:23:45PM -0500, Matthew Jonkman wrote:
> You could try to write a sig for every new worm, but that'd keep you 
> pretty busy (as you can tell since the virus sigs are not really kept 
> up). Besides, it sounds like your ISP doesn't want a full-blown IDS 

I don't think you have to write many at all! Trojans have to exploit
weaknesses in the (typically) Window systems they are breaking into - and
standard Snort has rules for them...

We find it very good at picking up the latest burst of LSASS and RPC-based
trojans...


[Although the ISP industry could do us all a favour and just block outgoing
NetBIOS traffic... I mean - who is MAD ENOUGH to need to run NetBIOS over
the Internet?!?!?]

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list