[Snort-sigs] Re: Virus/Worms signatures ruleset

Mark markmormartin at ...1934...
Fri Jun 18 02:03:12 EDT 2004


I wonder would it be possible to change the text in virus.rules, from
just saying that the rules are not maintained. I think its a bit
misleading. As we all known  even if they were maintained it would be
impossible to  keep adding new signatures for each new virus as they are
released. Esp given the rate email viruses are being created. 

Currently in virus rules there is on rule which detects suspect file
attachments, personally i think this is a pretty good rule, for example
if some host is sending out .pif files 99% chance is they are infected
with a virus.

As a side point some people will say that virus detection belongs to
anti-virus scanners and not IDSs. I don't think this is correct because
if some one brings in a laptop into your network which is infected with
a worm it is important to detect it. Most anti-virus scanners will not
report the ip address of the host that sent the email (i could be wrong
on this)

Snort has a fine collection of signatures for worms in the netbios.rules
section. Most of the sigs are named after the vulnerability and not the
exploit hence you wont see any rule explicitly called blaster.

Mark




More information about the Snort-sigs mailing list