[Snort-users] virus.rules file

Joel Esler jesler at ...1935...
Tue Sep 4 07:03:18 EDT 2012


The virus.rules file has been depreciated, and will be removed in a future release. If you are using the most current rulepack, look for the "malware" set of categories, along with the exploit-kit category. 

Rules will be populated into these categories heavily over the next few releases. 
--
Joel Esler
Sent from my iPad 

On Sep 4, 2012, at 6:08 AM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:

> Just a quick thought...
> Why does virus.rules file say-
> 
> #-------------
> # VIRUS RULES
> #-------------
> #
> # We don't care about virus rules anymore.  BUT, you people won't stop asking
> # us for virus rules.  So... here ya go.
> #
> # There is now one rule that looks for any of the following attachment types:
> #
> #   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
> #   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
> #   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
> #   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
> #   xlt, xlw
> #
> 
> What I mean to ask - Snort will detect virus content, or no???
> And btw, where is that "one rule" which the file talks about?
> 
> Thanks...
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list