[Snort-sigs] Worm, Virus, and Trojan sigs?

Nigel Houghton nigel at ...435...
Fri Dec 12 08:31:02 EST 2003


Around 10:49am Dan Michitsch said:

DM :Hi all, I've been looking at the snort-sigs mailing list archive for
DM :worm/trojan/virus sigs, and I was wondering if there was any place I
DM :could get those types of sigs all in one compiled local.rules file or
DM :something?  I know the official snort rules have dumped virus.rules and
DM :the like and they focus on the common exploit signatures instead, but I
DM :don't want to miss anything.  Are all the lastest worms/viruses/trojans
DM :and the like accounted for in the official snort rules (albeit under a
DM :different name than MSBlaster/Nachia/Sinit, etc.)?
DM :
DM :Thanks!
DM :
DM :-Dan

The virus.rules have necessarily been "dumped" they still exist, they just
aren't being maintained like the rest of the rules.

The rules focus on trying to detect attacks against the underlying
vulnerability as opposed to detecting a particular worm or virus that
exploits that vulnerability. Worms and Viruses can have variants which may
evade detection if you focus on specific rules to detect any of them in
particular. For example, the Nachi and Blaster worms attacked the same
vulnerability in MS RPC but had definite differences in their particular
signature. Exploitation attempts by both these worms may be detected by
sids 2192 and 2193 but which one doing the attacking is not identified.

(Blaster activity might result in an increase of events from sid 483
though)

Best thing to do is stay current, keep up to date with your AV solution,
research the underlying vulnerability a worm/virus is trying to exploit
and look in the rules for which ones might be triggered by a worm/virus.

You should always remember that any IDS you have in place needs to be
carefully tuned for your own particular situation. Use the rules as a
starting point, read this list and create/delete/modify your rules as
necessary.

Many people like to create their own rules for viruses and worms to track
down infected hosts, I'm guessing that once the offenders have been
detected and fixed those rules might get turned off to avoid false
positives etc.

-----------------------------------------------------------------------
Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."




More information about the Snort-sigs mailing list