[Snort-users] About virus.rules

Jason Haar Jason.Haar at ...294...
Mon May 17 18:00:01 EDT 2004

For my five cents I'd also like to trumpet the greatness of detecting 
worms instead of viruses.

You are dead right: viruses are better dealt with by AV scanners, but 

We have a world-wide installation of Snort, and it's primary use is in 
WAN worm detection. It didn't start out that way - but that's where it's 
ended up.

Sasser, Blaster, etc may be supposed to trigger "standard" DCOM rules, 
but as the current Sasser DCOM vulnerability still isn't available 
within the "standard" 2.1 rules series, there's a lot of snort people 
who can't detect it (in fact I specifically moved to the CURRENT series 
for those rules). The worm-specific rules that appeared afterwards were 
much appreciated as a stop-gap measure.

In general I think even "worm" sigs shouldn't be needed as more standard 
rules should also trigger (the worm had to break in someway), but in 
some cases only the dev track of rules can detect such things...

(BTW: in case you were wondering, we trigger e-mail alerts on anything 
that has an internal source address to capture such things - and no, it 
can actually go weeks without triggering :-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list