Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Who doesn't care about virus rules, and why?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Thu, 6 Nov 2003 07:35:52 -0600
While I agree that IDS plays a role in tracking down virus-infected machines, I have to agree that most of the rules 
specifically written to detect virus traffic aren't of much use.  My reasons, though, are probably different from what 
others think.

Over the past several months, I've been amazed at the amount of time spent trying to come up with the "correct" 
signature for Blaster/Welchia/whatever.  While it is true that we can write fairly specific rules to detect these 
things, those specific rules will almost never trigger, particularly in a large network that is only sparsely populated.

The majority of worms that I've seen, with the notable exception of SQLSlammer, are TCP-based.  They also use a 
randomization technique to spread beyond their local subnet.  What this ends up meaning is that something like 90% of 
the time (in networks I monitor), the worm tries to connect to non-existant or unreachable IP addresses.  In these 
cases, if you're only looking for the worm-specific data within the session, your rules won't trigger - all that passes 
the sensor (if anything) is the TCP SYN packet and maybe a TCP RST.

What we've ended up doing is monitoring the default route path for our network and watching for either TCP SYNs that 
are going places they shouldn't or TCP RST packets generated either by the firewall or the odd host that is actually 
hit.  With thresholding, we can generate fairly useful alerts in cases where, in Blaster's case, one source address 
sends out TCP port 135 SYN packets to more than X number of hosts in Y period of time.  This is so reliable, in nearly 
every case we've used it on, that we are able to auto-generate email alerts that go to someone else to actually _deal_ 
with the problem rather than making the IDS staff track down and call each victim independantly.

Of course, we also have content-specific rules, but they rarely fire and the don't catch varients.  The thresholded 
behaviour rules have been catching both varients of what we were trying to find and propegation activity from worms we 
didn't know about.

So, to answer your question, if you've got a place where all your junk traffic goes (i.e. your main Internet 
connection) _and_ you don't allow the protocol out, such as with MSRPC stuff on 135, 137, 139, 445, etc., run a simple 
set of rules looking for those SYN packets outbound and use the thresholding thing if you can.  I think you'll find it 
more useful than the virus.rules.

Good luck.

Jon

-----Original Message-----
From: kenw () kmsi net [mailto:kenw () kmsi net]
Sent: Wednesday, November 05, 2003 9:45 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Who doesn't care about virus rules, and why?


The header of virus.rules says:


# NOTE: These rules are NOT being actively maintained.

<snip>

# These rules are going away.  We don't care about virus rules anymore.


Who are "we", and what makes them think these rules aren't important?



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: