[Snort-sigs] Worm Signatures

Stef mitiste at ...2363...
Tue Apr 6 20:38:08 EDT 2004

On Apr 6, 2004, at 6:38 PM, Jason Haar wrote:

> On Wed, 2004-04-07 at 08:30, Matt Kettler wrote:
>>   With free tools like clamav available it's cheap and easy to get 
>> virus
>> scanning right and do it at the MTA layer. Once the message is 
>> spooled onto
>> a mailserver an AV scanner can take it's time and unpack zipfiles, 
>> compare
>> against thousands of signatures, look across wide spans of the data, 
>> etc.
>> This kind of analysis is not realistically possible within snort. 
>> Snort is
>> a real-time analysis system, snort can't stop and spend hundreds of
>> milliseconds decompressing data to do analysis, as it will miss other
>> packets going by while it does so. A MTA is a queued system, and small
>> delays don't cause loss of protection, just slower delivery, and a few
>> hundred milliseconds won't be significant compared to the overall 
>> time a
>> typical end-to-end mail transfer takes.
> Great description there Matt, but there's one key feature that Snort 
> has
> over most SMTP AV systems: it reports the client IP address...
> Very few commercial AVs report the IP address the virus came from, so
> you are left with quite a manual job to hunt it down (Qmail-Scanner is
> an exception! ;-). Snort obviously hands that out, so when it sees a
> virus on the network, you immediately know where it came from.
> End of the day, it's always the same: defense in depth
> -- 
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

I have tried to make a similar point earlier (as far as asking the same 
question, but for a different purpose), but to no avail. My point was 
that I see a setup like the one I will describe below very, very useful 
(whether production or research environment):

MX-record-server --> filter smtp server (RHBL, RBL, content, DSPAM, 
etc.) --> antivirus server (the order here is obvious - I do not want 
to scan junk) --> HONEYPOT smtp server --> internal servers

The reason of interposing a honeypot here is:
1. I want something to catch what is left after the levels before;
2. I want a holder for honeytokens (email accounts "ALMOST" like 
internal accounts - but nonexistent)
3. I can afford to remove the honeypot any time I like, w/out any 
impact to the functionality of the whole (I am not better or worse with 
or without it, as far as the email flow is concerned), allowing study 
of NEW forms of: UCE/UBE/SPAM or WORMS or VIRII. Think - for example - 
of having tons of users whose email addresses are: XYZ at ...2379..., 
and one YXZ at ...2379... honeytoken (non existing account, but similar 
to real email addresses). With a honeypot I can afford to receive a 
virus/worm, then simply take off-line the whole honeypot and "practice" 
with the payload of attachments, emails, etc. Try to do that with a 
production system!

It is at point 3 that I am interested in snort signatures SPECIFICALLY 
for the reasons above. And my original question was the same as I have 
seen so far in the last couple of weeks: HOW does one start to approach 
such things?

I hope some would see now the benefit of knowing how to write snort 
virus/worms/spam "signatures"! At least under my scenario the purpose 
is not to replace anything - it is to add another security tool to the 
arsenal I have.


P.S. I have actually come up with a functional system capable of doing 
the above, except for the refinement of the Snort signatures (I am 
still writing them on "how-I-feel-about-things:), as part of the tools 
I will produce for a paper I am writing. If anybody is interested, I 
could share that info, once done.

More information about the Snort-sigs mailing list