[Snort-sigs] writing signatures from isolated viruses

Cory Hollingsworth Cory.Hollingsworth at ...2343...
Thu Mar 25 15:07:03 EST 2004


I'm still relatively new to Snort, so I am uncertain if this is possible. At my place of work we use Interscan Virus Wall on an SMTP gateway to filter out viruses.  However we tend to become infected often before pattern files are available from Trend.
 
Virus Wall has an option to quarantine Virus attachments.  Sadly the option doesn't isolate the entire email message so we lose the header information which could tell us where the file came from.
 
I'm wondering if there is a way I could take a virus attachment which I know has infected our network and create a signature using that file to better isolate infected machines on our network.

Does any one have any advice they can offer on this concept?  Is what I'm thinking impossible/impracticle?  Where would I go from here to learn enough about signature generation to develop a signature from a binary file.

I would expect that I'd need to MIME encode the file back to its original MIME type and then generate a series of diffs to identify the common or fingerprintable portions of the virus.  From there I 
would guess that I'd need to incorporate that fingerprint into Snort's rule set some how.
 
Any advice as to where I should start would be appreciated.
 
Thanks.





More information about the Snort-sigs mailing list