[Snort-users] Who doesn't care about virus rules, and why?

kenw at ...10492... kenw at ...10492...
Thu Nov 6 07:36:14 EST 2003


On Thu, 6 Nov 2003 09:01:15 -0600, "Schmehl, Paul L" <pauls at ...6838...>
wrote:

>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net 
>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
>> kenw at ...10492...
>> Sent: Wednesday, November 05, 2003 9:45 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Who doesn't care about virus rules, and why?
>> 
>> The header of virus.rules says:
>> 
>> ># NOTE: These rules are NOT being actively maintained.
>> <snip>
>> ># These rules are going away.  We don't care about virus 
>> rules anymore.
>> 
>> Who are "we", and what makes them think these rules aren't important?
>> 
>It's not that they aren't important.  It's that no one seems to want to

The quote was "We don't care about virus rules anymore."   Seems fairly
clear.

>maintain them.  Doing so requires a great deal of work, and there *are*
>other, better methods of doing virus detection on a network.

Care to name one that actually gives the IP address of the source of the
attack?  None that I'm familiar with do.

>However, it might make sense to maintain a smaller collection of the
>network aware worms, such as Bugbear (which is what is most likely
>driving your customer's printers crazy), Funlove, Qaz, Lovgate, Sobig,
>et. al.  The problem is finding someone to do that.  I'd volunteer, but
>it's really hard for me to get samples (because of the protections we
>have in place), and I really don't have the time to set up a private
>network, infect a goat and capture its traffic so the signatures can be
>done right.

Neither do I.  But I've already effectively volunteered to collect and
redistribute contributions from others as time permits, and in the format
of my own choosing.  That's a whole lot better that doing nothing because
we can't do it all.

For a lot of computer geeks, we sure seem to have a problem with the
concept of optimization sometimes...

>Paul Schmehl (pauls at ...6838...)
>Adjunct Information Security Officer
>The University of Texas at Dallas
>AVIEN Founding Member
>http://www.utdallas.edu/~pauls/ 

/kenw

Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net




More information about the Snort-users mailing list