[Snort-sigs] [1/2OT] Suggestions for rules design for base64 encoded SPAM

Stef mitiste at ...2363...
Fri Apr 2 13:39:01 EST 2004


Hi, all,

I have recently configured an SMTP honeypot, appearing to the outside 
world as a [possible] open relay, which I use to put on hold all email 
attempted to be relayed through, let only local accounts email flow (se 
"honeytokens" below), then analyze all of them, then report (via 
Vipul's razor) all the signatures, then dump all emails, with the 
exception of the test ones, to let spammers continue to [attempt to] 
send their stuff through. I have also installed snort, and hope that I 
can use some known [recent] worm and virus rules, to do additional 
analysis and statistics (MySQL and ACID for "nice" view into those), on 
what is being attempted, and also hoping I could write additional rules 
for snort, based on new stuff showing up.

Here is my question to the snort-sig community: how do I approach the 
design of snort rules for base64 encoded messages (i.e. where do I look 
inside the base64, to identify the uniqueness of a specific encoded 
worm, or virus, let's say ... like - for example - the already known 
"Microsoft patch" embedded/attached files)? Is there any type of 
pre-processor, or other mechanism available for snort, to uudecode on 
the fly the MIME stuff, thus offering better "humanly readable" format 
for building - then - possible rules?

Please do not send me to other methods of preventing worms or viruses - 
this is not the objective of the honeypot (by the way - I also have 
some "honeytokens" setup, i.e. email accounts being set up locally, 
having been used on Usenet to post, and on some web sites, just to be 
"harvested" by spammers, then receiving directed mail SPAM). The 
objective of all this is to analyze and build statistics about 
spamming, and - possibly - being able to build rules for the production 
systems (the argument here being that if I "see" something new, it is 
much more likely I can afford to take the honeypot down, and analyze 
what has been received, even by accepting some "dangerous" email 
locally, then taking down production systems - the building appropriate 
rules for production IDS).

TIA,
Stef





More information about the Snort-sigs mailing list