[Snort-users] About virus.rules
Jason.Haar at ...294...
Mon May 17 18:00:01 EDT 2004
For my five cents I'd also like to trumpet the greatness of detecting
worms instead of viruses.
You are dead right: viruses are better dealt with by AV scanners, but
We have a world-wide installation of Snort, and it's primary use is in
WAN worm detection. It didn't start out that way - but that's where it's
Sasser, Blaster, etc may be supposed to trigger "standard" DCOM rules,
but as the current Sasser DCOM vulnerability still isn't available
within the "standard" 2.1 rules series, there's a lot of snort people
who can't detect it (in fact I specifically moved to the CURRENT series
for those rules). The worm-specific rules that appeared afterwards were
much appreciated as a stop-gap measure.
In general I think even "worm" sigs shouldn't be needed as more standard
rules should also trigger (the worm had to break in someway), but in
some cases only the dev track of rules can detect such things...
(BTW: in case you were wondering, we trigger e-mail alerts on anything
that has an internal source address to capture such things - and no, it
can actually go weeks without triggering :-)
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users