Snort mailing list archives
RE: Snort Virus Detector
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 29 Mar 2004 10:57:59 -0600
While I gather it is somewhat atypical, the method we've been using has been pretty effective. As a background, one of the problems we noticed when using the content-based rules that typically come out is that if the worm uses TCP for propegation, then the only time the rule will fire is if we are watching a network connection across which a successful TCP session crosses. This means that, in a sparsely populated network with only 20% of the addresses assigned, the odds of seeing anything at all are fairly slim. To combat this, we put in generic rules on the path that the default route takes that watch for any connections that the worm uses. For example, Blaster/Nimda used SMB for spreading, so we alert on any TCP port 135, 139, or 445 connection that's outbound on the default route. While its noisy, we've got scripts that watch the log files and generates email/pager messages when a single source IP address generates alerts on more than, say 50 destinations in the past 5 minutes. We've been very successful with this, and it is fairly easy to delete stuff from ACID since the "normal" traffic will almost never go beyond a 1:1 ratio of sources to destinations. This has the added benefit of detecting _any_ worm that uses a monitored port, so we didn't have to do anything different on Nimda since we created the rules during Blaster. We've experimented with using Snort's thresholding, but haven't gotten it set up in the way we want. The problem we ran into was that the thresholded alert would only record one alert for every x events, which took away our ability to (manually) assign priorities to worms that are scanning reachable address space, particularly our own. HTH. Jon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jimmy Norton Sent: Monday, March 29, 2004 9:54 AM To: Snort Users List Subject: [Snort-users] Snort Virus Detector Hello, All- My director has put me in charge of building a system that can help detect machines on our network that are infected with various viruses. I have built a Snort box using Red Hat Fedora Core 1, MySQL, PHP, and ACID. The machine is snorting and posting alerts. However, I am having trouble writing rules that effectively detect the type of traffic these various malicious agents create. Does anyone have any experience writing rules for this purpose? I'd appreciate any help. Thanks in advance. Jimmy Norton ~~~~~ Network Security Specialist Nova Southeastern University ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Virus Detector Jimmy Norton (Mar 29)
- <Possible follow-ups>
- RE: Snort Virus Detector Williams Jon (Mar 29)