So if Snort can clean out the bulk of the traffic thats infected with
the common virii then the saving on resources is enormous for me. This
does not mean that I do away with the AV servers but that the AV servers
work as specialist AV cleaners and Snort works as the general AV cleaner.
How are you planning on doing this? flexresp?
Now comes the part of looking into zip files which is where we still
need ClamAV and other AV solutions. My question is that why isn't there
a unique identification string in the zipped payloads of the
virii/worms? Why do attachments need to be unzipped before being
examined since no two files can have the same zip file?
Writing signatures against a zip file, rather than against the payload
of the viri is possible I suppose, but in practice probably not a good
idea. I think you would end up with a AV signature database larger
than anybody would want to manage, probably a high number of false
positives, and a signature that would be trivial to circumvent.
A lot of times viri have double extensions, which attempt to mask the
real extension i.e. .zip.exe would look like .zip. In this case you
would not need to unzip anything as the file is actually an MZ or PE
executable for which you could create a valid signature.
Regards,
Will
-------------------------------------------------------
SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate
online with coworkers and clients while avoiding the high cost of travel and
communications. There is no equipment to buy and you can meet as often as
you want. Try it free.http://ads.osdn.com/?ad_idt02&alloc_id�135&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
