[Snort-users] Sort inline virus prevention

Matt Kettler mkettler at ...4108...
Mon Sep 22 08:30:02 EDT 2003


At 07:24 PM 9/20/2003, mike evans wrote:
>How
>soon after a virus outbreak do signatures get updated
>usually?  Would you recommend snort for what I'm
>trying to do or should I look elsewhere?

The snort "virus" signatures don't have any official maintainer, thus they 
are not updated with any due speed after a virus is released.

Technically speaking, viruses are not really the point of snort. It's an 
intrusion sensor, not a virus scanner.

There's lots of effective virus scanners out there, including free software 
like clamav. Now, admittedly I don't how to make a virus scanner handle 
http and ftp downloads network-wide, but a simple client side scanner works 
VERY well for this kind of thing.

For email, it's quite easy to install something like MailScanner, 
amavisd-new, or other similar tools on your mailserver to scan all inbound 
email messages. If you set up your firewall to disallow clients attempting 
to connect to outside SMTP servers, and force them to send via your 
mailserver, you can also ensure scanning of outbound email.







More information about the Snort-users mailing list