[Snort-sigs] Virus/Worms signatures ruleset

Matthew Jonkman matt at ...2436...
Thu Jun 17 22:04:04 EDT 2004


I was thinking low maintenance if they're not looking to really have the 
IDS response then portscan and a few of the relevant trojan and rpc 
ruules would be a very simple deployment. All they probably care about 
are infections that consume bandwidth and thus affecting other 
customers. They will need the portscan processor to catch the 
non-exploit attack issues (spambots, etc).

I guess have them start small and add rules as they have the resources 
to respond and manage. They'll get to a level they can handle and 
maintain and are seeing what they want.

Oh yeah, don't assume no one is using netbios across the Internet. I've 
actually seen homegrown apps use it for remote access in firms we've 
audited. Scary, but true. They actually thought that was a safe way to 
do business. :)

Matt

Jason Haar wrote:
> On Thu, Jun 17, 2004 at 09:23:45PM -0500, Matthew Jonkman wrote:
> 
>>You could try to write a sig for every new worm, but that'd keep you 
>>pretty busy (as you can tell since the virus sigs are not really kept 
>>up). Besides, it sounds like your ISP doesn't want a full-blown IDS 
> 
> 
> I don't think you have to write many at all! Trojans have to exploit
> weaknesses in the (typically) Window systems they are breaking into - and
> standard Snort has rules for them...
> 
> We find it very good at picking up the latest burst of LSASS and RPC-based
> trojans...
> 
> 
> [Although the ISP industry could do us all a favour and just block outgoing
> NetBIOS traffic... I mean - who is MAD ENOUGH to need to run NetBIOS over
> the Internet?!?!?]
> 




More information about the Snort-sigs mailing list