[Snort-sigs] Re: [Snort-users] Who doesn't care about virus rules, and why?

Nick.Cross at ...1874... Nick.Cross at ...1874...
Fri Nov 7 03:08:14 EST 2003

I care about virus rules, but only some of them.

We (Fujitsu Consulting) in the UK run a LAN IDS at each site, watching the
local segment before it hits the WAN (and our parent Fujitsu's WAN is quite
big, we are in most countries) =).

WAN+-------+Router+--------+Switch+==== users

As the UK Network Admin I am more interested in making sure the local UK
segments don't infect other sites around the world, and to able to give a
heads up to my foreign counterparts that they have a rogue machine on their
segments (many of which run their own NIDS anyway).  We have a strict
policy on personal firewall use, patching, email antivirus etc. but as a
company of consultants, a lot of people are on customer sites or working
from home and you can't enforce your policies 100% of the time (especially
when you dont have access to the user's machine, and they haven't been in
the office for 6 months).

Why don't I care about some rules? Some of the virus rules are a little too
specific, as mentioned on this forum, with any TCP virii you don't see the
payload unless the target is actually vunerable and is about to get
infected.  But rules like the Blaster 'ping' are quite useful, though I
would expect that new virii wont be as simple as that in the future (its
not hard to randomise the ping payload in data or in length - and that
would totally stuff that signature).  If you mean to use such TCP
signatures then you will problably need to setup some honeypots so that the
payload actually gets transfered onto your wire so you can see it.  (honeyd
looks quite good for that, coupled with the default route idea it would
work quite nicely).

So I don't ever expect to see say any SoBig.F rules trigger. But with the
MS03-043 vunerability, it works over UDP (well all the code I've seen has)
so in this case if someone wrote a virus/worm for it, I would assume a
snort sig would catch it on your wires, as the payload will be in the first
few packets (correct me here if i'm wrong people =) )  I'm considering
writing a rule to catch the UUID in a packet for the messenger service to
see if its use is high on my nets, might be quite interesting...?



Nicholas Cross
Network Consultant
51 Homer Road
West Midlands
p: +44-121-220-6601
f:  +44-121-220-6001

More information about the Snort-sigs mailing list