[Snort-users] About virus.rules
mkettler at ...4108...
Mon May 17 07:57:01 EDT 2004
At 03:43 AM 5/17/2004, etienne.causse at ...11813... wrote:
>"# NOTE: These rules are NOT being actively maintained.
># These rules are going away. We don't care about virus rules anymore."
>Although, I see that there are more rules than the only one listed in this
>file on snort.org.
>So my question is quite simple : why is there no support for virus rules
>any more ?
Simple answer: Because AFAIK nobody has volunteered to be the official
maintainer of the rules.
There's also the matter that these rules look for viruses in SMTP or POP
sessions. With the advent of free virus scanners and SMTP server virus
scanning (ie: clamav), one can do this job MUCH better using other tools.
Since server-side scanners have the opportunity to examine the data in any
way they choose, and can spend several seconds doing it, they can achieve
much higher accuracy than snort can. They have the time to look for
thousands of signatures, and these signatures can be multi-part spanning
the entire file.
Snort can only spend a very limited time examining the data (less than a
millisecond), and the occurrence of examining more than 3k at a time is
almost nonexistent, even with stream4. Since snort's timeframe is short,
the number of signatures that can be loaded without missing packets is
going to be a few hundred at most, certainly much less than a AV tool can
search for. Snort also lacks the time to do data decoding (ie: decoding
base64, binhex, unzipping, etc) and is limited to examining the data as it
will appear in-flight on the wire.
Now the snort virus rules aren't outright useless, using them with flexresp
is a great way to reduce load on your SMTP server. However their window of
usefulness is significantly diminished by other tools, hence the lowered
urgency of maintenance.
More information about the Snort-users