[Snort-users] About virus.rules

kenw at ...10492... kenw at ...10492...
Sat May 29 22:03:05 EDT 2004


On Mon, 17 May 2004 13:22:18 -0500, you wrote:

>On Mon, May 17, 2004 at 10:55:48AM -0400, Matt Kettler wrote:
>> At 03:43 AM 5/17/2004, etienne.causse at ...11813... wrote:
>> >"# NOTE: These rules are NOT being actively maintained.
>> ># These rules are going away.  We don't care about virus rules anymore."
>> >
>> >Although, I see that there are more rules than the only one listed in this
>> >file on snort.org.
>> >
>> >So my question is quite simple : why is there no support for virus rules
>> >any more ?
>> 
>> Simple answer: Because AFAIK nobody has volunteered to be the official 
>> maintainer of the rules.
>> 
>
> I volunteered some time ago, but never received a response.  So,
> I can only assume I'm either worthless or they aren't looking for
> a maintainer :)  I would hope the 2nd as they say the rules are
> going away and they don't care.
>
>-=Mike

I agree with your sentiment, but is there any reason "they" have to respond
at all?  AFAIK, if you want to maintain a rule set, and post it
occasionally or put it on a ftp/web site, nobody's stopping you, and many
people will be appreciative.

I nearly did it myself a while back, but got too busy.  Collected a number
of signatures, but it's getting out of date; haven't even browsed this list
for a while.

Granted that using snort to detect email-borne viruses is probably
low-value, because it will tell you little about their source.  However,
detecting the network activity of worms, network-propagating viruses, and
trojans if possible, can be very useful, and provides information not
available from protection software.

In fact, for smaller sites, I suspect such detection could actually be of
greater value than any of the usual IDS-related functions.

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net




More information about the Snort-users mailing list