[Snort-users] Who doesn't care about virus rules, and why?

Schmehl, Paul L pauls at ...6838...
Thu Nov 6 07:02:08 EST 2003


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> kenw at ...10492...
> Sent: Wednesday, November 05, 2003 9:45 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Who doesn't care about virus rules, and why?
> 
> The header of virus.rules says:
> 
> ># NOTE: These rules are NOT being actively maintained.
> <snip>
> ># These rules are going away.  We don't care about virus 
> rules anymore.
> 
> Who are "we", and what makes them think these rules aren't important?
> 
It's not that they aren't important.  It's that no one seems to want to
maintain them.  Doing so requires a great deal of work, and there *are*
other, better methods of doing virus detection on a network.

However, it might make sense to maintain a smaller collection of the
network aware worms, such as Bugbear (which is what is most likely
driving your customer's printers crazy), Funlove, Qaz, Lovgate, Sobig,
et. al.  The problem is finding someone to do that.  I'd volunteer, but
it's really hard for me to get samples (because of the protections we
have in place), and I really don't have the time to set up a private
network, infect a goat and capture its traffic so the signatures can be
done right.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list