[Snort-users] About virus.rules

etienne.causse at ...11813... etienne.causse at ...11813...
Mon May 17 00:42:02 EDT 2004


Hi all,

I'm currently working on a Snort deployment project in my company, and I am
wondering about rules which allow to see virus signatures.
In my rule set (downloaded from snort.org) I see :
"# NOTE: These rules are NOT being actively maintained.
# These rules are going away.  We don't care about virus rules anymore."

Although, I see that there are more rules than the only one listed in this
file on snort.org.

So my question is quite simple : why is there no support for virus rules
any more ?
I have added some of the rules I found which allowed me to find some
signatures of Sasser worm in my network. And I think it could be very cool
to use Snort for monitoring worm propagation, as it could allow me to see
the infected hosts quickly.

Thanks for your answers.

Etienne.







More information about the Snort-users mailing list