Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: [Snort-users] Who doesn't care about virus r ules, and why?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 12 Nov 2003 10:19:53 -0600
There's not necessarily anything "wrong" with the signatures except for
the fact that many of them, the Webdav included, looks for content
within an active TCP session.  Since most networks are only sparsely
populated and, in some cases, firewalls and routing prevent internal
machines from communicating directly with stuff on the Internet, using a
rule that looks for content within a TCP session will miss 99% of the
connection _attempts_ made by an infected machine.  If the worm can't
establish a TCP session (i.e. a non-existant address, an address outside
of your network that isn't routed or is blocked by the firewall, etc.),
then it will almost never send the actual attack stuff that the
signature keys on.
 
Jon

  _____  

From: Lohman, James [mailto:James.Lohman () acs-inc com] 
Sent: Wednesday, November 12, 2003 9:35 AM
To: Williams Jon; kenw () kmsi net; snort-users () lists sourceforge net
Subject: RE: [Snort-sigs] RE: [Snort-users] Who doesn't care about virus
r ules, and why?



Pardon me.. I don't usually post in the open, and I am slightly out of
the loop on this thread... 

Is there a problem with a correct signature for Welchia? I have been
using the Webdav Nessus Safe Scan signature to great success. The
network that I watch is quite large, and when I detect via Webdav
attempt (one of welchia's attack vectors), it is always correct. 

I have detected almost every major worm with Snort, and it has played a
great role. 

Again, if I am out of step on this thread, I apologize, but your
statement about correct signatures Welchia got me. 

Regards, 

James Lohman 
Lead Network Security Analyst 
ACS IS-Team, x7771 

"Network penetration is network engineering, in reverse." 



-----Original Message----- 
From: Williams Jon [mailto:WilliamsJonathan () JohnDeere com] 
Sent: Thursday, November 06, 2003 7:36 AM 
To: kenw () kmsi net; snort-users () lists sourceforge net 
Cc: snort-sigs () lists sourceforge net 
Subject: [Snort-sigs] RE: [Snort-users] Who doesn't care about virus 
rules, and why? 


While I agree that IDS plays a role in tracking down virus-infected
machines, I have to agree that most of the rules specifically written to
detect virus traffic aren't of much use.  My reasons, though, are
probably different from what others think.

Over the past several months, I've been amazed at the amount of time
spent trying to come up with the "correct" signature for
Blaster/Welchia/whatever.  While it is true that we can write fairly
specific rules to detect these things, those specific rules will almost
never trigger, particularly in a large network that is only sparsely
populated.

The majority of worms that I've seen, with the notable exception of
SQLSlammer, are TCP-based.  They also use a randomization technique to
spread beyond their local subnet.  What this ends up meaning is that
something like 90% of the time (in networks I monitor), the worm tries
to connect to non-existant or unreachable IP addresses.  In these cases,
if you're only looking for the worm-specific data within the session,
your rules won't trigger - all that passes the sensor (if anything) is
the TCP SYN packet and maybe a TCP RST.

What we've ended up doing is monitoring the default route path for our
network and watching for either TCP SYNs that are going places they
shouldn't or TCP RST packets generated either by the firewall or the odd
host that is actually hit.  With thresholding, we can generate fairly
useful alerts in cases where, in Blaster's case, one source address
sends out TCP port 135 SYN packets to more than X number of hosts in Y
period of time.  This is so reliable, in nearly every case we've used it
on, that we are able to auto-generate email alerts that go to someone
else to actually _deal_ with the problem rather than making the IDS
staff track down and call each victim independantly.

Of course, we also have content-specific rules, but they rarely fire and
the don't catch varients.  The thresholded behaviour rules have been
catching both varients of what we were trying to find and propegation
activity from worms we didn't know about.

So, to answer your question, if you've got a place where all your junk
traffic goes (i.e. your main Internet connection) _and_ you don't allow
the protocol out, such as with MSRPC stuff on 135, 137, 139, 445, etc.,
run a simple set of rules looking for those SYN packets outbound and use
the thresholding thing if you can.  I think you'll find it more useful
than the virus.rules.

Good luck. 

Jon 

-----Original Message----- 
From: kenw () kmsi net [mailto:kenw () kmsi net] 
Sent: Wednesday, November 05, 2003 9:45 PM 
To: snort-users () lists sourceforge net 
Subject: [Snort-users] Who doesn't care about virus rules, and why? 


The header of virus.rules says: 


# NOTE: These rules are NOT being actively maintained. 

<snip> 

# These rules are going away.  We don't care about virus rules anymore.



Who are "we", and what makes them think these rules aren't important? 



------------------------------------------------------- 
This SF.net email is sponsored by: SF.net Giveback Program. 
Does SourceForge.net help you be more productive?  Does it 
help you create better code?   SHARE THE LOVE, and help us help 
YOU!  Click Here: http://sourceforge.net/donate/ 
_______________________________________________ 
Snort-sigs mailing list 
Snort-sigs () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: