Re: writing virus signatures

[Siddhartha Jain <sid () netmagicsolutions com>]

Will Metcalf wrote:
> The bleeding snort guy's have already done the work for you.
> http://www.bleedingsnort.com/bleeding-virus.rules
Thanks Will. I am currently using bleeding-snort rules but as you can
see they are a small subset of the ClamAV signature database.

> DISCLAIMER: The ClamAV preproc is not meant to be a replacement for
> Mail Gateway AV scanners.  We are looking at fragments of files, not
> the whole thing.  In which case we are unable to look inside the
> contents of zip files etc.

:) Exact reason why I am not using Snort with the ClamAV preproc.

My AV servers are detecting huge Mytob infected mails whereas the Snort
sensor with the mytob.ED signature isn't catching anything.

A little about why I think Snort is a good to way eliminate virus/worm
traffic before it hits the AV server. I am running Snort on a mirrored
switch port with an old P-III 650Mhz/128MB RAM machine. The CPU loads
rarely crosses 12% for Snort and this is when I am looking at the
traffic to about a dozen mail servers. The rule set for the Snort is
optimised to inspect traffic destined only for port 25 incoming. This
setup works well for detecting the bulk of the viruses out there -
NetSky, Mydoom, Zafi, Klez and even spam (with the Outlook forgery
attempt sig). This kind of traffic also constitutes the bulk of the
virus/spam traffic.

Against this, my two main AV servers that are 2.8GHz dual-procs with 2GB
RAM each run upto 100% CPU utilization at times when there is a major
virus outbreak. That exposes me to a DoS. Even otherwise, the two
servers use upto 16-25% in *peace* time.

So if Snort can clean out the bulk of the traffic thats infected with
the common virii then the saving on resources is enormous for me. This
does not mean that I do away with the AV servers but that the AV servers
work as specialist AV cleaners and Snort works as the general AV cleaner.

Now comes the part of looking into zip files which is where we still
need ClamAV and other AV solutions. My question is that why isn't there
 a unique identification string in the zipped payloads of the
virii/worms? Why do attachments need to be unzipped before being
examined since no two files can have the same zip file?

Sorry if some assumptions/questions are too basic. I am just starting
out on working with Snort after a long long break.

- Siddhartha



> On 5/25/05, Siddhartha Jain <sid () netmagicsolutions com> wrote:
>
> > Hi,
> >
> > I am trying to write a signature for the mytob virus. I have the ClamAV
> > signature for the virus but clam extracts the .exe from the .zip file
> > and then does a match so the clam signature seems useless.
> >
> > How do I identify the base64 string in the mytob zip file that uniquely
> > identifies the virus?
> >
> > - Siddhartha




-------------------------------------------------------
SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate
online with coworkers and clients while avoiding the high cost of travel and
communications. There is no equipment to buy and you can meet as often as
you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users