[Snort-sigs] RE: [Snort-users] Who doesn't care about virus r ules, and why?

Lohman, James James.Lohman at ...5841...
Thu Nov 13 06:45:02 EST 2003

Pardon me.. I don't usually post in the open, and I am slightly out of the
loop on this thread... 

Is there a problem with a correct signature for Welchia? I have been using
the Webdav Nessus Safe Scan signature to great success. The network that I
watch is quite large, and when I detect via Webdav attempt (one of welchia's
attack vectors), it is always correct. 

I have detected almost every major worm with Snort, and it has played a
great role. 

Again, if I am out of step on this thread, I apologize, but your statement
about correct signatures Welchia got me. 


James Lohman
Lead Network Security Analyst
ACS IS-Team, x7771

"Network penetration is network engineering, in reverse." 

-----Original Message-----
From: Williams Jon [mailto:WilliamsJonathan at ...2134...]
Sent: Thursday, November 06, 2003 7:36 AM
To: kenw at ...10492...; snort-users at lists.sourceforge.net
Cc: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] RE: [Snort-users] Who doesn't care about virus
rules, and why?

While I agree that IDS plays a role in tracking down virus-infected
machines, I have to agree that most of the rules specifically written to
detect virus traffic aren't of much use.  My reasons, though, are probably
different from what others think.

Over the past several months, I've been amazed at the amount of time spent
trying to come up with the "correct" signature for Blaster/Welchia/whatever.
While it is true that we can write fairly specific rules to detect these
things, those specific rules will almost never trigger, particularly in a
large network that is only sparsely populated.

The majority of worms that I've seen, with the notable exception of
SQLSlammer, are TCP-based.  They also use a randomization technique to
spread beyond their local subnet.  What this ends up meaning is that
something like 90% of the time (in networks I monitor), the worm tries to
connect to non-existant or unreachable IP addresses.  In these cases, if
you're only looking for the worm-specific data within the session, your
rules won't trigger - all that passes the sensor (if anything) is the TCP
SYN packet and maybe a TCP RST.

What we've ended up doing is monitoring the default route path for our
network and watching for either TCP SYNs that are going places they
shouldn't or TCP RST packets generated either by the firewall or the odd
host that is actually hit.  With thresholding, we can generate fairly useful
alerts in cases where, in Blaster's case, one source address sends out TCP
port 135 SYN packets to more than X number of hosts in Y period of time.
This is so reliable, in nearly every case we've used it on, that we are able
to auto-generate email alerts that go to someone else to actually _deal_
with the problem rather than making the IDS staff track down and call each
victim independantly.

Of course, we also have content-specific rules, but they rarely fire and the
don't catch varients.  The thresholded behaviour rules have been catching
both varients of what we were trying to find and propegation activity from
worms we didn't know about.

So, to answer your question, if you've got a place where all your junk
traffic goes (i.e. your main Internet connection) _and_ you don't allow the
protocol out, such as with MSRPC stuff on 135, 137, 139, 445, etc., run a
simple set of rules looking for those SYN packets outbound and use the
thresholding thing if you can.  I think you'll find it more useful than the

Good luck.


-----Original Message-----
From: kenw at ...10492... [mailto:kenw at ...10492...]
Sent: Wednesday, November 05, 2003 9:45 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Who doesn't care about virus rules, and why?

The header of virus.rules says:

># NOTE: These rules are NOT being actively maintained.
># These rules are going away.  We don't care about virus rules anymore.

Who are "we", and what makes them think these rules aren't important?

This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031113/d9cb3274/attachment.html>

More information about the Snort-users mailing list