[Snort-users] Who doesn't care about virus rules, and why?

kenw at ...10492... kenw at ...10492...
Wed Nov 5 19:48:03 EST 2003


The header of virus.rules says:

># NOTE: These rules are NOT being actively maintained.
<snip>
># These rules are going away.  We don't care about virus rules anymore.

Who are "we", and what makes them think these rules aren't important?

Granted, virus detection probably doesn't fit well into the usual IDS
paradigm.   But snort-based virus detection fits very well into some
requirements I have, occasionally -- like, now.

I support many small business sites.  Sometimes I get called in because a
site has been poorly protected and needs cleaning up.  It's one thing to
look after a clean site with well-maintained AV protection; it's quite
another to inherit a mess, and have to straighten it out.

Most of the popular viruses these days are heavy on the network traffic.
One thing that can really help is a network-based detector that can quickly
identify sources of infection.  Another is a way to tell whether I really
have things cleaned up when I think I do.

For example, I have a site that seems to be reporting the occasional
infected temporary print spool file.  My AV software reports them, but
gives no clue where they might have come from.  Snort should be able to
make short work of finding the source.

So, at the moment, I'm collecting all the virus.rules I can find.  And I
fully plan to post the result here.  I have neither the time nor the
inclination to do anything more formal, but I can contribute that much.

If anybody has collections they want to share, I'm interested.  

And if anybody wants to dispute my point of view, well, I'm all ears:
enlighten me.

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net




More information about the Snort-users mailing list