[Snort-sigs] Virus/Worms signatures ruleset
kmx at ...2383...
Thu Jun 17 21:50:06 EDT 2004
I wouldn't count out the current rule-set just because virus.rules
doesn't seem to contain what your looking for. Virii and Worms are very
interesting creatures as they utilize existing vulnerabilities to
spread. This causes a "what do you call it" problem in the rule set, in
my opinion, but the detection capability is definitely there for a large
number of things.
Here's a simple example
The Witty Worm - SID 2443, 2444, 2445, 2446 detect attempts to exploit
the ICQ name buffer overflow vulnerability that witty uses to spread.
The Sasser Worm - SID 2514 detect attempts to exploit the LSASS exploit
used by Sasser to spread.
Blaster, Slammer, etc similar story, there are SIDs that detect the
vulnerabilities exploited by those worms also.
Since rules are used to detect attempts to exploit vulnerabilities, and
worms use vulnerabilities, the rules report attempts to exploit the
vulnerabilities, and not the "tool,worm,virii,etc" that is causing the
Maybe a good paradigm to this is a police officer catching speeders.
The officer only cares that you are speeding, he doesn't care what kind
of car you are driving. Your going to get pulled over regardless of
whether your driving a Chevy or a Porsche. This is also why the officer
writes you a speeding ticket, and not a "speeding while in a crappy
white 91 Chevy". Just as the snort rules report "Netbios SMB
DsRolerUpgradeDownGrade etc.. attempt" and not "Sasser Worm"
Virii follow a different paradigm than worms, they don't utilize a
software flaw to spread, they use the gullibility of the end-user to
execute them. However, virii have generalized detectable attributes,
they usually open lots of outbound connections, they usually have odd
attachment files like ".scr,.pif" (who emails legit screensaver files
and pif files? no one :) ) , and they might contain silly subjects like
"I love you". All of these things are easily detectable by the IDS,
however, once again you know that it's a virus, but you don't know if
it's NetSky.A, NetSky.B, NetSky.C, Netsky.lotsoflettershere, or
PE_ZAFI.A, PE_ZAFI.purplepeopleeater, or one of the other 100,000+ virii
in the wild.
I hope that explains things a bit. Snorts current rule sets will
provide most of the functionality your looking for, one just has to have
a bit of knowledge about the alerts it generates.
Dan Metcalf wrote:
>I'm sure that this has been covered many times before, so just please point
>me in the correct direction.
>I have a client that is a VERY small ISP. They are interested in tracking
>down worms and viruses within their network to aid end users in eradicating
>the problems. They of course don't have control of the end users' computer
>systems, so other than running anti-virus at the mail server and blocking a
>few commonly exploited ports they would like to have tools to help point
>them and their users in the right direction.
>Question: Where should I look for signatures of virus & worms, and more
>preferably rulesets that might help them in identifying systems with
>problems? Since the virus.rules isn't maintained I'm sure some other
>parties have put together some kind of ruleset to help.
>Thanks for any help.
>snort-dan at ...2556...
>This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
>Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
>Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
>REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs