[Snort-users] Viirus rules

Matt Kettler mkettler at ...4108...
Mon Feb 2 08:33:01 EST 2004

At 04:01 AM 2/2/2004, Michael.Mulholland at ...9481... wrote:
>I'm using the IDS Policy Manager to download new rules and push them out to
>a number of sensors but the virus set has a note claiming these rules are
>not actively updated.
>I'm relatively new to Snort so i'm not sure how i should keep my signatures
>up-to-date with the large number of virus and other such attacks out there
>Do i need to write my own signatures - if so where do i find the details on
>what content to scan for?
>many thanks to anyone who takes the time to read this and more so to those
>who reply

The virus rules are updated. However there's no official maintainer that 
actively spends his/her time working on the ruleset so updates are 
irregular and not comprehensive.

To be honest with you, all of the virus rules for snort look for a virus 
coming in over SMTP email. There's very little reason to use snort to do 
virus scanning of emails.

There are free tools out there that do this job significantly better. Snort 
isn't designed to do the work of a virus scanner, it's an IDS.. Let clamav 
(open source), sophos, norton, or whatever scanner you want take care of 
your viruses on a "up-to-date" basis. Take clamav, tack on amavis, 
mailscanner or some other mail-integration tool and you've got free virus 
scanning at the MTA level.

Since there are free tools that do virus scanning very well, snort's 
limited developer resources are better spent on network attack signatures, 
and not email worm signatures. Not that virus sigs are useless in snort, 
but there are by far more important things to cover.

However, should you choose to write virus signatures, I'm sure that some 
people would appreciate it if you posted them on snort-sigs.

Just my 2c on the matter..

More information about the Snort-users mailing list