[Snort-users] About virus.rules

Matt Kettler mkettler at ...4108...
Mon May 17 07:57:01 EDT 2004

At 03:43 AM 5/17/2004, etienne.causse at ...11813... wrote:
>"# NOTE: These rules are NOT being actively maintained.
># These rules are going away.  We don't care about virus rules anymore."
>Although, I see that there are more rules than the only one listed in this
>file on snort.org.
>So my question is quite simple : why is there no support for virus rules
>any more ?

Simple answer: Because AFAIK nobody has volunteered to be the official 
maintainer of the rules.

There's also the matter that these rules look for viruses in SMTP or POP 
sessions. With the advent of free virus scanners and SMTP server virus 
scanning (ie: clamav), one can do this job MUCH better using other tools.

Since server-side scanners have the opportunity to examine the data in any 
way they choose, and can spend several seconds doing it, they can achieve 
much higher accuracy than snort can. They have the time to look for 
thousands of signatures, and these signatures can be multi-part spanning 
the entire file.

Snort can only spend a very limited time examining the data (less than a 
millisecond), and the occurrence of examining more than 3k at a time is 
almost nonexistent, even with stream4. Since snort's timeframe is short, 
the number of signatures that can be loaded without missing packets is 
going to be a few hundred at most, certainly much less than a AV tool can 
search for. Snort also lacks the time to do data decoding (ie: decoding 
base64, binhex, unzipping, etc) and is limited to examining the data as it 
will appear in-flight on the wire.

Now the snort virus rules aren't outright useless, using them with flexresp 
is a great way to reduce load on your SMTP server. However their window of 
usefulness is significantly diminished by other tools, hence the lowered 
urgency of maintenance. 

More information about the Snort-users mailing list