IDS mailing list archives
Re: Writing signatures for e-mail virus attachments
From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Mon, 6 Feb 2006 21:20:08 +0100
On Friday 03 February 2006 05:38, c_sek_har () yahoo co in wrote:
HI How can I write a signature for a virus which is coming as an attachment? The attachment may be done by using base64 or binhex encoding. Shall I have to create signature for each type? Has anybody implemented the idea of decoding the attachment (IDS) and then parsing the file to look for some pattern?
snip Some snort preprocessors work this way. There is a CPU/Memory penalty however. If you want to create something very quick, i would use a packetdump of the traffic, create the appropriate rules, and then worry about refining them by doing a decode of the message and create signatures based on the decoded message. -- Lucien Fransman irC2 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Writing signatures for e-mail virus attachments c_sek_har (Feb 06)
- Re: Writing signatures for e-mail virus attachments lucien Fransman (Feb 07)
- Re: Writing signatures for e-mail virus attachments David W. Goodrum (Feb 07)
- <Possible follow-ups>
- Re: Writing signatures for e-mail virus attachments anonymous (Feb 07)
- RE: Writing signatures for e-mail virus attachments Matthew Conover (Feb 13)