Re: About virus.rules

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-05-17 at 13:22, Michael Sconzo wrote:
>  I volunteered some time ago, but never received a response.  So,
>  I can only assume I'm either worthless or they aren't looking for
>  a maintainer :)  I would hope the 2nd as they say the rules are
>  going away and they don't care.

No, actually... it's because you're worthless... hehe  ;)

I think the issue is two-fold. For one, virus detection (and prevention)
is probably better done on the host than on the network. Second, the
signature list would have to be extensive, and up keep you add them
daily. Look how quickly viruses are added to Norton. I think the
virus.rules file would mushroom quickly to the point where Snort would
drag too much.

Your desktops/servers are a bit slower because of real-time virus
detection. Imagine all that load resting on Snort. Performance would
nose-dive.

Personally, I'd rather see all file based viruses and such removed and
dealt with by virus software. That said, however, I strongly vote for
continuing to keep up with worms. Since worms are network based, Snort
is better suited than host-based virus software. 

So basically, remove virus.rules or trim it to only to those that also
spread through the network (hybrids), but create and maintain a
worm.rules file.

Regards,
Frank
(part-time coffee-shop rebel)

Attachment: signature.asc
Description: This is a digitally signed message part