[Snort-sigs] Virus/Worms signatures ruleset

Xram_LraK kmx at ...2383...
Thu Jun 17 21:50:06 EDT 2004

I wouldn't count out the current rule-set just because virus.rules 
doesn't seem to contain what your looking for.  Virii and Worms are very 
interesting creatures as they utilize existing vulnerabilities to 
spread.  This causes a "what do you call it" problem in the rule set, in 
my opinion, but the detection capability is definitely there for a large 
number of things.

Here's a simple example

The Witty Worm - SID 2443, 2444, 2445, 2446 detect attempts to exploit 
the ICQ name buffer overflow vulnerability that witty uses to spread.
The Sasser Worm - SID 2514 detect attempts to exploit the LSASS exploit 
used by Sasser to spread.

Blaster, Slammer, etc similar story, there are SIDs that detect the 
vulnerabilities exploited by those worms also. 

Since rules are used to detect attempts to exploit vulnerabilities, and 
worms use vulnerabilities, the rules report attempts to exploit the 
vulnerabilities, and not the "tool,worm,virii,etc" that is causing the 

Maybe a good paradigm to this is a police officer catching speeders.  
The officer only cares that you are speeding, he doesn't care what kind 
of car you are driving.  Your going to get pulled over regardless of 
whether your driving a Chevy or a Porsche.  This is also why the officer 
writes you a speeding ticket, and not a "speeding while in a crappy 
white 91 Chevy".  Just as the snort rules report "Netbios SMB 
DsRolerUpgradeDownGrade etc.. attempt" and not "Sasser Worm"

Virii follow a different paradigm than worms, they don't utilize a 
software flaw to spread, they use the gullibility of the end-user to 
execute them.  However, virii have generalized detectable attributes, 
they usually open lots of outbound connections, they usually have odd 
attachment files like ".scr,.pif" (who emails legit screensaver files 
and pif files? no one :) ) , and they might contain silly subjects like 
"I love you".  All of these things are easily detectable by the IDS,  
however, once again you know that it's a virus, but you don't know if 
it's NetSky.A, NetSky.B, NetSky.C, Netsky.lotsoflettershere, or 
PE_ZAFI.A, PE_ZAFI.purplepeopleeater, or one of the other 100,000+ virii 
in the wild.

I hope that explains things a bit.  Snorts current rule sets will 
provide most of the functionality your looking for, one just has to have 
a bit of knowledge about the alerts it generates.


Dan Metcalf wrote:

>I'm sure that this has been covered many times before, so just please point
>me in the correct direction.
>I have a client that is a VERY small ISP.  They are interested in tracking
>down worms and viruses within their network to aid end users in eradicating
>the problems.  They of course don't have control of the end users' computer
>systems, so other than running anti-virus at the mail server and blocking a
>few commonly exploited ports they would like to have tools to help point
>them and their users in the right direction.
>Question:  Where should I look for signatures of virus & worms, and more
>preferably rulesets that might help them in identifying systems with
>problems?  Since the virus.rules isn't maintained I'm sure some other
>parties have put together some kind of ruleset to help.
>Thanks for any help.
>Dan Metcalf
>snort-dan at ...2556...
>This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
>Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
>Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
>REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list