Stef: You seem to want to either detect viruses that are currently unknown or, detect patterns that might indicate an unknown virus. Either is a pretty tall order old chap if you are talking about an IDS...

It seems to me you are discussing a corporate environment with your mention of updating firewalls and border routers. This being the case you are implying that you are either going to block the address at the firewall when "questionable" content is found which is feasible with many firewalls or that you are going to block the content at the firewall. The implication of the second possibility is that your firewall can filter on content.... That being the case - block it by file extension in SMTP attachments. Don't worry about .doc, .xls etc., (but do block mdb and mde IMO), since they seem to have become somewhat passe where the virus authors are concerned and probably won't present the most dangerous threats in the future unless someone, (M$), comes up with a wonderful new "data sharing/access" method... At that point, block the offending extension too till the threat subsides and/or your secondary defense, (the Mail AV), is updated with the signature and fix.

I dunno.... maybe I'm missing something but it seems to me like trying to use Snort to mitigate an issue that it appears that you could mitigate more successfully in another way could result in more problems, (not to mention work on your part), than is safe or necessary.

Can you give me more information if I am "not getting it"...