Snort mailing list archives
Re: writing virus signatures
From: Siddhartha Jain <sid () netmagicsolutions com>
Date: Wed, 25 May 2005 21:04:28 +0530
Will Metcalf wrote:
The bleeding snort guy's have already done the work for you. http://www.bleedingsnort.com/bleeding-virus.rules
Thanks Will. I am currently using bleeding-snort rules but as you can see they are a small subset of the ClamAV signature database.
DISCLAIMER: The ClamAV preproc is not meant to be a replacement for Mail Gateway AV scanners. We are looking at fragments of files, not the whole thing. In which case we are unable to look inside the contents of zip files etc.
:) Exact reason why I am not using Snort with the ClamAV preproc. My AV servers are detecting huge Mytob infected mails whereas the Snort sensor with the mytob.ED signature isn't catching anything. A little about why I think Snort is a good to way eliminate virus/worm traffic before it hits the AV server. I am running Snort on a mirrored switch port with an old P-III 650Mhz/128MB RAM machine. The CPU loads rarely crosses 12% for Snort and this is when I am looking at the traffic to about a dozen mail servers. The rule set for the Snort is optimised to inspect traffic destined only for port 25 incoming. This setup works well for detecting the bulk of the viruses out there - NetSky, Mydoom, Zafi, Klez and even spam (with the Outlook forgery attempt sig). This kind of traffic also constitutes the bulk of the virus/spam traffic. Against this, my two main AV servers that are 2.8GHz dual-procs with 2GB RAM each run upto 100% CPU utilization at times when there is a major virus outbreak. That exposes me to a DoS. Even otherwise, the two servers use upto 16-25% in *peace* time. So if Snort can clean out the bulk of the traffic thats infected with the common virii then the saving on resources is enormous for me. This does not mean that I do away with the AV servers but that the AV servers work as specialist AV cleaners and Snort works as the general AV cleaner. Now comes the part of looking into zip files which is where we still need ClamAV and other AV solutions. My question is that why isn't there a unique identification string in the zipped payloads of the virii/worms? Why do attachments need to be unzipped before being examined since no two files can have the same zip file? Sorry if some assumptions/questions are too basic. I am just starting out on working with Snort after a long long break. - Siddhartha
On 5/25/05, Siddhartha Jain <sid () netmagicsolutions com> wrote:Hi, I am trying to write a signature for the mytob virus. I have the ClamAV signature for the virus but clam extracts the .exe from the .zip file and then does a match so the clam signature seems useless. How do I identify the base64 string in the mytob zip file that uniquely identifies the virus? - Siddhartha
------------------------------------------------------- SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate online with coworkers and clients while avoiding the high cost of travel and communications. There is no equipment to buy and you can meet as often as you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)