[Snort-users] About virus.rules

nt anaysia2003 at ...131...
Sat May 29 01:59:02 EDT 2004

Everyone on the list has made some good points about the virus/worm rules. I work for a computer service co. and I have seen many pc's be infected by virus some do not have av software and others just do not update or know much about it to get auto updates.  I think where the virus rules should go is more toward finding infected computers on the internal network.  Realistically virus coming in really don't bother me but If I see some virus activity going from IN>Out then I am concerned about the alert.

etienne.causse at ...11813... wrote:Hi all,

I'm currently working on a Snort deployment project in my company, and I am
wondering about rules which allow to see virus signatures.
In my rule set (downloaded from snort.org) I see :
"# NOTE: These rules are NOT being actively maintained.
# These rules are going away. We don't care about virus rules anymore."

Although, I see that there are more rules than the only one listed in this
file on snort.org.

So my question is quite simple : why is there no support for virus rules
any more ?
I have added some of the rules I found which allowed me to find some
signatures of Sasser worm in my network. And I think it could be very cool
to use Snort for monitoring worm propagation, as it could allow me to see
the infected hosts quickly.

Thanks for your answers.


This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Do you Yahoo!?
Friends.  Fun. Try the all-new Yahoo! Messenger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040529/2eb43589/attachment.html>

More information about the Snort-users mailing list