Re: writing virus signatures

[Siddhartha Jain <sid () netmagicsolutions com>]

Will Metcalf wrote:
> > So if Snort can clean out the bulk of the traffic thats infected with
> > the common virii then the saving on resources is enormous for me. This
> > does not mean that I do away with the AV servers but that the AV servers
> > work as specialist AV cleaners and Snort works as the general AV cleaner.
>
>
> How are you planning on doing this?  flexresp?
As I mentioned earlier I am running Snort, as of now, on a mirrored
switch uplink port that goes to the router. Once we have tested the
solution well enough, we will deploy Snort in inline mode with iptables
as a transparent bridge.

> > Now comes the part of looking into zip files which is where we still
> > need ClamAV and other AV solutions. My question is that why isn't there
> > a unique identification string in the zipped payloads of the
> > virii/worms? Why do attachments need to be unzipped before being
> > examined since no two files can have the same zip file?
>
>
> Writing signatures against a zip file, rather than against the payload
> of the viri is possible I suppose, but in practice probably not a good
> idea.  I think you would end up with a AV signature database larger
> than anybody would want to manage, probably a high number of false
> positives, and a signature that would be trivial to circumvent.
>
> A lot of times viri have double extensions, which attempt to mask the
> real extension i.e. .zip.exe would look like .zip.  In this case you
> would not need to unzip anything as the file is actually an MZ or PE
> executable for which you could create a valid signature.

All true. However, I don't plan to replace the exisiting AV solution
with a Snort-inline box. The goal is to get the signatures of the latest
virus outbreak to snort so that a huge flood of emails does not reach
the AV servers. So we will always keep the number of rules on snort very
small to match the latest virii that are hitting our network. For eg,
right now the top virii floating around are NetSky and Mytob. NetSky is
being detected well by Snort but mytob isn't despite having three
Mytob.Ed signatures.

Out of the total of 50 rules I have in Snort config, 37 have been
triggered but the bulk of events belongs to 5-6 rules so I can trim down
my rule base to probably 20 and still do a good job at keeping the bulk
of bad mails away from reaching the AV servers. Now if a new virus comes
in the picture we add its signature to Snort and delete the signatures
of the virii that have gone out of *fashion*. The flow would be
something like:
1. The ops team identifies the latest virus flooding the AV servers.
2. A typical flood lasts several days so on day one of the flood we port
the ClamAV signature to a Snort rule for that particular virus and its
various strains. The goal is to keep the number of Snort rules down to
minimum, maybe about 15-20 rules.
3. The older virus rules that aren't triggering too many events are
removed from the Snort rule base so keep Snort efficient.

Also, a few rules are evergreen. The two top event generating rules on
my network are:
1. BLEEDING-EDGE VIRUS Inbound Suspicious Email Attachment  - 22%
2. Possible MS Outlook email From forgery attempt   - 22%

The third currently is NetSky.
3. BLEEDING-EDGE Virus Netsky.P Worm - incoming  - 22%

1 gets triggered before the actual attachment passes the network.
Dropping such traffic at the network layer itself would prevent the
entire mail from reaching the AV servers thus save expensive scanning of
the infected mail and save bandwidth because we will never receive the
attachment (the connection would be reset before that). 1 also takes
care of several virii that send *illegal* attachments.

2 gets triggered as soon the packets containing the headers pass the
network. The benefits of dropping this traffic is pretty much the same
as above. 2 also counters spam.

Gathering statistics from our AV and Anti-spam solution and comparing it
to the events generated by snort we believe that a significant amount of
AV/spam traffic can be dropped by Snort.

What do you think of the strategy? Also, some pointers on how to extract
a signature for a zipped (only once) virus.exe :)

Thanks,

Siddhartha



-------------------------------------------------------
SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate
online with coworkers and clients while avoiding the high cost of travel and
communications. There is no equipment to buy and you can meet as often as
you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users