[Snort-sigs] Worm Signatures
mkettler at ...189...
Tue Apr 6 13:31:11 EDT 2004
At 03:13 PM 4/6/2004, Chintan Gosalia wrote:
>This issue has been discussed several times on the bulletin. But i have
>not found any concrete answer. What can be the best way to come up with
>signatures for various worms? Should one just pick up the payload for the
>worm and choose any random string and make it a signature?? Or is there
>any more concrete method? As most of the worms are in .zip, .pif etc.
>attachments, the payload we see is either compressed form of actual files?
>So what can be the best way to come up with sigantures for them with
>respect to generating the least false positives.
Good signature writing and selection of payload signatures is mostly an art
form, however it's also helpful to have a comprehensive understanding of
the normal behaviors of the data streams you're observing.
Things to consider (applies to snort signature writing in general)
1) get several packet captures of transfers of the attack/worm in
various forms. Try to find parts of the packets which do not vary and are
the same each time the worm or attack occurs, regardless of what format
2) Of those parts, find the one which is the most different from
"normal" transfers. This is where the comprehensive knowledge part comes
in. Here it's helpful to understand both the network protocols involved,
AND the formats of the data transferred. Ideal candidates are parts of the
packet that are spec violations, if any exist.
As far as email attachments containing viruses and worms, if you want an
antivirus scanner, don't use snort. Virus signatures in snort are a great
supplement, and I don't want to dissuade you from working on them as they
very useful at reducing the noise level when combined with flexresp.
However, one needs to keep in mind that snort is not a good replacement for
a virus scanner, and it NEVER will be.
With free tools like clamav available it's cheap and easy to get virus
scanning right and do it at the MTA layer. Once the message is spooled onto
a mailserver an AV scanner can take it's time and unpack zipfiles, compare
against thousands of signatures, look across wide spans of the data, etc.
This kind of analysis is not realistically possible within snort. Snort is
a real-time analysis system, snort can't stop and spend hundreds of
milliseconds decompressing data to do analysis, as it will miss other
packets going by while it does so. A MTA is a queued system, and small
delays don't cause loss of protection, just slower delivery, and a few
hundred milliseconds won't be significant compared to the overall time a
typical end-to-end mail transfer takes.
More information about the Snort-sigs