IDS mailing list archives

Re: Writing signatures for e-mail virus attachments

From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Mon, 6 Feb 2006 21:20:08 +0100

On Friday 03 February 2006 05:38, c_sek_har () yahoo co in wrote:

HI

  How can I write a signature for a virus which is coming as an
attachment? The attachment may be done by using base64 or binhex  encoding.
Shall I have to create signature for each type?

  Has anybody implemented the idea of decoding the attachment (IDS) and
then parsing the file to look for some pattern?


snip

Some snort preprocessors work this way. There is a CPU/Memory penalty however.
If you want to create something very quick, i would use a packetdump of the 
traffic, create the appropriate rules, and then worry about refining them by 
doing a decode of the message and create signatures based on the decoded 
message.

--
Lucien Fransman
irC2

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Writing signatures for e-mail virus attachments c_sek_har (Feb 06)
- Re: Writing signatures for e-mail virus attachments lucien Fransman (Feb 07)
- Re: Writing signatures for e-mail virus attachments David W. Goodrum (Feb 07)
- <Possible follow-ups>
- Re: Writing signatures for e-mail virus attachments anonymous (Feb 07)
- RE: Writing signatures for e-mail virus attachments Matthew Conover (Feb 13)