[Snort-sigs] writing signatures from isolated viruses

pieter claassen pieter at ...1894...
Thu Mar 25 15:29:06 EST 2004

Find sections that stay the same and that you can use to create a
signature from.

Don't worry about mime encoding the file, just sniff the wire and look
for things that stay the same during a mail exchange of the offending
piece of mail. Use Ethereal or something.

Watch out that the signature doesn't match itself (code a bit of the
content in binary).

You can look into using IPS to drop the packets that match. However, be
careful with SMTP's reaction to dropped packets, reject might be more
suitable. Even better if you can get your mailer to drop matches (Exim
can do this)


On Thu, 2004-03-25 at 23:06, Cory Hollingsworth wrote:
> I'm still relatively new to Snort, so I am uncertain if this is possible. At my place of work we use Interscan Virus Wall on an SMTP gateway to filter out viruses.  However we tend to become infected often before pattern files are available from Trend.
> Virus Wall has an option to quarantine Virus attachments.  Sadly the option doesn't isolate the entire email message so we lose the header information which could tell us where the file came from.
> I'm wondering if there is a way I could take a virus attachment which I know has infected our network and create a signature using that file to better isolate infected machines on our network.
> Does any one have any advice they can offer on this concept?  Is what I'm thinking impossible/impracticle?  Where would I go from here to learn enough about signature generation to develop a signature from a binary file.
> I would expect that I'd need to MIME encode the file back to its original MIME type and then generate a series of diffs to identify the common or fingerprintable portions of the virus.  From there I 
> would guess that I'd need to incorporate that fingerprint into Snort's rule set some how.
> Any advice as to where I should start would be appreciated.
> Thanks.
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list