[Snort-sigs] Worm Signatures

Matt Kettler mkettler at ...189...
Tue Apr 6 13:31:11 EDT 2004

At 03:13 PM 4/6/2004, Chintan Gosalia wrote:
>This issue has been discussed several times on the bulletin. But i have 
>not found any concrete answer. What can be the best way to come up with 
>signatures for various worms? Should one just pick up the payload for the 
>worm and choose any random string and make it a signature?? Or is there 
>any more concrete method? As most of the worms are in .zip, .pif etc. 
>attachments, the payload we see is either compressed form of actual files? 
>So what can be the best way to come up with sigantures for them with 
>respect to generating the least false positives.

Good signature writing and selection of payload signatures is mostly an art 
form, however it's also helpful to have a comprehensive understanding of 
the normal behaviors of the data streams you're observing.

Things to consider (applies to snort signature writing in general)
         1) get several packet captures of transfers of the attack/worm in 
various forms. Try to find parts of the packets which do not vary and are 
the same each time the worm or attack occurs, regardless of what format 
it's in.

         2) Of those parts, find the one which is the most different from 
"normal" transfers. This is where the comprehensive knowledge part comes 
in. Here it's helpful to understand both the network protocols involved, 
AND the formats of the data transferred. Ideal candidates are parts of the 
packet that are spec violations, if any exist.

As far as email attachments containing viruses and worms, if you want an 
antivirus scanner, don't use snort. Virus signatures in snort are a great 
supplement, and I don't want to dissuade you from working on them as they 
very useful at reducing the noise level when combined with flexresp. 
However, one needs to keep in mind that snort is not a good replacement for 
a virus scanner, and it NEVER will be.

  With free tools like clamav available it's cheap and easy to get virus 
scanning right and do it at the MTA layer. Once the message is spooled onto 
a mailserver an AV scanner can take it's time and unpack zipfiles, compare 
against thousands of signatures, look across wide spans of the data, etc. 
This kind of analysis is not realistically possible within snort. Snort is 
a real-time analysis system, snort can't stop and spend hundreds of 
milliseconds decompressing data to do analysis, as it will miss other 
packets going by while it does so. A MTA is a queued system, and small 
delays don't cause loss of protection, just slower delivery, and a few 
hundred milliseconds won't be significant compared to the overall time a 
typical end-to-end mail transfer takes.

More information about the Snort-sigs mailing list