[Snort-users] About virus.rules

nt anaysia2003 at ...131...
Sat May 29 01:59:02 EDT 2004


Everyone on the list has made some good points about the virus/worm rules. I work for a computer service co. and I have seen many pc's be infected by virus some do not have av software and others just do not update or know much about it to get auto updates.  I think where the virus rules should go is more toward finding infected computers on the internal network.  Realistically virus coming in really don't bother me but If I see some virus activity going from IN>Out then I am concerned about the alert.

etienne.causse at ...11813... wrote:Hi all,

I'm currently working on a Snort deployment project in my company, and I am
wondering about rules which allow to see virus signatures.
In my rule set (downloaded from snort.org) I see :
"# NOTE: These rules are NOT being actively maintained.
# These rules are going away. We don't care about virus rules anymore."

Although, I see that there are more rules than the only one listed in this
file on snort.org.

So my question is quite simple : why is there no support for virus rules
any more ?
I have added some of the rules I found which allowed me to find some
signatures of Sasser worm in my network. And I think it could be very cool
to use Snort for monitoring worm propagation, as it could allow me to see
the infected hosts quickly.

Thanks for your answers.

Etienne.





-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

		
---------------------------------
Do you Yahoo!?
Friends.  Fun. Try the all-new Yahoo! Messenger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040529/2eb43589/attachment.html>


More information about the Snort-users mailing list