RE: Snort Virus Detector

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

While I gather it is somewhat atypical, the method we've been using has
been pretty effective.

As a background, one of the problems we noticed when using the
content-based rules that typically come out is that if the worm uses TCP
for propegation, then the only time the rule will fire is if we are
watching a network connection across which a successful TCP session
crosses.  This means that, in a sparsely populated network with only 20%
of the addresses assigned, the odds of seeing anything at all are fairly
slim.

To combat this, we put in generic rules on the path that the default
route takes that watch for any connections that the worm uses.  For
example, Blaster/Nimda used SMB for spreading, so we alert on any TCP
port 135, 139, or 445 connection that's outbound on the default route.
While its noisy, we've got scripts that watch the log files and
generates email/pager messages when a single source IP address generates
alerts on more than, say 50 destinations in the past 5 minutes.  We've
been very successful with this, and it is fairly easy to delete stuff
from ACID since the "normal" traffic will almost never go beyond a 1:1
ratio of sources to destinations.

This has the added benefit of detecting _any_ worm that uses a monitored
port, so we didn't have to do anything different on Nimda since we
created the rules during Blaster.

We've experimented with using Snort's thresholding, but haven't gotten
it set up in the way we want.  The problem we ran into was that the
thresholded alert would only record one alert for every x events, which
took away our ability to (manually) assign priorities to worms that are
scanning reachable address space, particularly our own.

HTH.

Jon

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jimmy
Norton
Sent: Monday, March 29, 2004 9:54 AM
To: Snort Users List
Subject: [Snort-users] Snort Virus Detector

Hello, All-

My director has put me in charge of building a system that can help
detect machines on our network that are infected with various viruses.
I have built a Snort box using Red Hat Fedora Core 1, MySQL, PHP, and
ACID.  The machine is snorting and posting alerts.  However, I am having
trouble writing rules that effectively detect the type of traffic these
various malicious agents create.  Does anyone have any experience
writing rules for this purpose?  I'd appreciate any help.

Thanks in advance.

Jimmy Norton
~~~~~
Network Security Specialist
Nova Southeastern University




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
tutorial presented by Daniel Robbins, President and CEO of GenToo
technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users