Re: Use Snort to detect viruses?

[Matt Kettler <mkettler () evi-inc com>]

At 03:16 PM 6/9/2004, Justin McLeod wrote:
> I am new to Snort and have a question. If I have two remote networks 
> connected through VPN, mostly windows machines, can I put a snort box at 
> each end to prevent viruses or worms from spreading from one side to the 
> other? Or at least to stop traffic if it sees something it thinks is a 
> virus? I am looking for a low cost solution to keep one side from 
> infecting the other.

Worms (ie: traveling via network exploits) with the right config, yes..
viruses (ie: in files, emails, etc) to some degree, but snort's the wrong 
tool for the job.

File viruses are really the job of a virus scanner. Snort can try to detect 
them being copied or emailed, but it's not very reliable.

Exploit attempts, suspicious network traffic, etc is what snort is designed 
to do, thus it can cover worms pretty well.

You'll also need to have those snort boxes configured with some kind of 
blocking system to actually stop the spread. By default, snort is an IDS, 
and can't stop traffic at all. Tools that work with snort and can stop 
traffic include Snortsam, inline-snort, and flexresp.

For comparison of how the different tools work, their basic advantages and 
disadvantages check out one of my previous posts:

http://lists.virus.org/snort-users-0406/msg00051.html






-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users