[Snort-sigs] Virus/Worms signatures ruleset

Matthew Jonkman matt at ...2436...
Thu Jun 17 19:24:02 EDT 2004


I'd think you're best bet is to really tune the portscan pre-processors 
and investigate the traffic coming from anyone that trips it a few times 
in a row.

Since most or all of the worms and viruses that would affect the ISP 
will scan to spread, you'll catch them pretty handily that way. And the 
spam-bot worms will send so much mail they'll trip the portscans as well.

You could try to write a sig for every new worm, but that'd keep you 
pretty busy (as you can tell since the virus sigs are not really kept 
up). Besides, it sounds like your ISP doesn't want a full-blown IDS 
function, just a infection detection function to conserve bandwidth.

That's what I'd do. And would be very easy to deploy. A little reading 
on the portscan preprocessor and some tuning and you'll be set.

By the way, if you do deploy this let us know how it goes. I know there 
are a number of ISP's on the list that may be (and should be) 
entertaining the idea. :)

Matt

Dan Metcalf wrote:

> I'm sure that this has been covered many times before, so just please point
> me in the correct direction.
> 
> I have a client that is a VERY small ISP.  They are interested in tracking
> down worms and viruses within their network to aid end users in eradicating
> the problems.  They of course don't have control of the end users' computer
> systems, so other than running anti-virus at the mail server and blocking a
> few commonly exploited ports they would like to have tools to help point
> them and their users in the right direction.
> 
> Question:  Where should I look for signatures of virus & worms, and more
> preferably rulesets that might help them in identifying systems with
> problems?  Since the virus.rules isn't maintained I'm sure some other
> parties have put together some kind of ruleset to help.
> 
> Thanks for any help.
> 
> Dan Metcalf
> snort-dan at ...2556...
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list