Snort mailing list archives
Re: writing virus signatures
From: Siddhartha Jain <sid () netmagicsolutions com>
Date: Thu, 26 May 2005 12:17:18 +0530
Will Metcalf wrote:
So if Snort can clean out the bulk of the traffic thats infected with the common virii then the saving on resources is enormous for me. This does not mean that I do away with the AV servers but that the AV servers work as specialist AV cleaners and Snort works as the general AV cleaner.How are you planning on doing this? flexresp?
As I mentioned earlier I am running Snort, as of now, on a mirrored switch uplink port that goes to the router. Once we have tested the solution well enough, we will deploy Snort in inline mode with iptables as a transparent bridge.
Now comes the part of looking into zip files which is where we still need ClamAV and other AV solutions. My question is that why isn't there a unique identification string in the zipped payloads of the virii/worms? Why do attachments need to be unzipped before being examined since no two files can have the same zip file?Writing signatures against a zip file, rather than against the payload of the viri is possible I suppose, but in practice probably not a good idea. I think you would end up with a AV signature database larger than anybody would want to manage, probably a high number of false positives, and a signature that would be trivial to circumvent. A lot of times viri have double extensions, which attempt to mask the real extension i.e. .zip.exe would look like .zip. In this case you would not need to unzip anything as the file is actually an MZ or PE executable for which you could create a valid signature.
All true. However, I don't plan to replace the exisiting AV solution with a Snort-inline box. The goal is to get the signatures of the latest virus outbreak to snort so that a huge flood of emails does not reach the AV servers. So we will always keep the number of rules on snort very small to match the latest virii that are hitting our network. For eg, right now the top virii floating around are NetSky and Mytob. NetSky is being detected well by Snort but mytob isn't despite having three Mytob.Ed signatures. Out of the total of 50 rules I have in Snort config, 37 have been triggered but the bulk of events belongs to 5-6 rules so I can trim down my rule base to probably 20 and still do a good job at keeping the bulk of bad mails away from reaching the AV servers. Now if a new virus comes in the picture we add its signature to Snort and delete the signatures of the virii that have gone out of *fashion*. The flow would be something like: 1. The ops team identifies the latest virus flooding the AV servers. 2. A typical flood lasts several days so on day one of the flood we port the ClamAV signature to a Snort rule for that particular virus and its various strains. The goal is to keep the number of Snort rules down to minimum, maybe about 15-20 rules. 3. The older virus rules that aren't triggering too many events are removed from the Snort rule base so keep Snort efficient. Also, a few rules are evergreen. The two top event generating rules on my network are: 1. BLEEDING-EDGE VIRUS Inbound Suspicious Email Attachment - 22% 2. Possible MS Outlook email From forgery attempt - 22% The third currently is NetSky. 3. BLEEDING-EDGE Virus Netsky.P Worm - incoming - 22% 1 gets triggered before the actual attachment passes the network. Dropping such traffic at the network layer itself would prevent the entire mail from reaching the AV servers thus save expensive scanning of the infected mail and save bandwidth because we will never receive the attachment (the connection would be reset before that). 1 also takes care of several virii that send *illegal* attachments. 2 gets triggered as soon the packets containing the headers pass the network. The benefits of dropping this traffic is pretty much the same as above. 2 also counters spam. Gathering statistics from our AV and Anti-spam solution and comparing it to the events generated by snort we believe that a significant amount of AV/spam traffic can be dropped by Snort. What do you think of the strategy? Also, some pointers on how to extract a signature for a zipped (only once) virus.exe :) Thanks, Siddhartha ------------------------------------------------------- SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate online with coworkers and clients while avoiding the high cost of travel and communications. There is no equipment to buy and you can meet as often as you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Siddhartha Jain (May 25)
- Re: writing virus signatures Will Metcalf (May 25)