[Snort-sigs] Virus/Worms signatures ruleset
matt at ...2436...
Thu Jun 17 19:24:02 EDT 2004
I'd think you're best bet is to really tune the portscan pre-processors
and investigate the traffic coming from anyone that trips it a few times
in a row.
Since most or all of the worms and viruses that would affect the ISP
will scan to spread, you'll catch them pretty handily that way. And the
spam-bot worms will send so much mail they'll trip the portscans as well.
You could try to write a sig for every new worm, but that'd keep you
pretty busy (as you can tell since the virus sigs are not really kept
up). Besides, it sounds like your ISP doesn't want a full-blown IDS
function, just a infection detection function to conserve bandwidth.
That's what I'd do. And would be very easy to deploy. A little reading
on the portscan preprocessor and some tuning and you'll be set.
By the way, if you do deploy this let us know how it goes. I know there
are a number of ISP's on the list that may be (and should be)
entertaining the idea. :)
Dan Metcalf wrote:
> I'm sure that this has been covered many times before, so just please point
> me in the correct direction.
> I have a client that is a VERY small ISP. They are interested in tracking
> down worms and viruses within their network to aid end users in eradicating
> the problems. They of course don't have control of the end users' computer
> systems, so other than running anti-virus at the mail server and blocking a
> few commonly exploited ports they would like to have tools to help point
> them and their users in the right direction.
> Question: Where should I look for signatures of virus & worms, and more
> preferably rulesets that might help them in identifying systems with
> problems? Since the virus.rules isn't maintained I'm sure some other
> parties have put together some kind of ruleset to help.
> Thanks for any help.
> Dan Metcalf
> snort-dan at ...2556...
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs