Snort as a Virus Detection Tool

Problem

Can Snort be used to help us document and detect viruses traveling across our network?

Solution

Using the ClamAV engine (http://www.clamav.net), several Snort developers from the open source community (Will Metcalf and Victor Julien) have been able to create a Snort preprocessor that can be used to detect viruses such as web-based, mail-based, and several other ports. One word of caution, though: this tool, while helpful, can place an extra load on a sensor. It should be deployed as its own sensor so as to not take processor time and space away from your main sensor platform. However, the value of a tool such as this should be immediately visible in demonstrating the threat posed by your RAS/VPN users, or even your remote sites that connect back into your network.

For example, if you have a RAS connection that connects directly to your network core without passing through any or little defenses, what would be the first line to be breached if a worm outbreak were to occur? Your RAS link would promptly help your network defense team discover which machines the patch management team didn't get to finish.

Another reason to run this preprocessor is that AV vendors often get detection methods for viruses and Trojans before the IDS community does. So for example with the ms04-028 exploit (jpeg JFIF exploit), ClamAV had an update that would detect the exploit, while the Snort community came out with several that worked only over HTTP. So when you are doing your threat count at the end of the day, you can determine that the exploit came in eight times over the Web and was correctly killed by the user AV software on the desktop, while the server team missed the 10 times it came in over SMTP through HTML emails.

Discussion

To enable this preprocessor, you have to patch Snort and first get the file from:

http://sourceforge.net/tracker/download.php?group_id=78497&atid=553469&file_id=98150&aid=1011054.

This patch has been tested on Linux and BSD platforms. To enable it, we are going to follow these procedures to install the clamAV software and get the most current AV database, and then install Snort with the patch to log to a database (ACID, for simplicity). Following these instructions, you will have an antivirus detecting Snort that logs to a database (MySQL, for example).

Once the ClamAV source code is downloaded from http://www.clamav.net, it needs to be installed. At the time of writing, the most current version is 0.80, which will successfully detect the jpeg exploit found in MS04-028! This tool runs as its own user, so you'll have to create an account as well before installing. This account is also specified at install time to make sure the tool is compiled correctly.

root#adduser clamav 

 

root# ./configure --with-user=clamav & make

If no errors are displayed after the make is complete, install the tool to the default location of /usr/local/share/clamAV. Then make a test run to make sure the executables compiled correctly using the following example.

root# /usr/local/bin/clamscan /home/  

If the summary doesn't look something like the following, the install failed, minus the actual exploit code.

[root# /usr/local/bin/clamscan /home//

/home///.bash_logout: OK

/home///.bash_profile: OK

/home///.bashrc: OK

/home///.bash_history: OK

/home///.viminfo: OK

/home///virus-jpeg.zip: Exploit.JPEG.Comment.4 FOUND

/home///.pinerc: OK

/home///p0f_db-0.3.tar: OK

/home///snort-2.2.0.tar.gz: OK

 

----------- SCAN SUMMARY -----------

Known viruses: 24618

Scanned directories: 1

Scanned files: 12

Infected files: 1

Data scanned: 28.71 MB

I/O buffer size: 131072 bytes

Time: 51.797 sec (0 m 51 s)

Now that ClamAV is installed and working, it is time to update the ClamAV database files with the most recent virus datafiles from http://www.clamAV.net. You can probably script the following example to pull the files daily, if your sensors aren't out of band.

Root# cd /usr/local/share/clamav 

root# wget http://db.local.clamav.net/main.cvd 

root# wget http://db.local.clamav.net/daily.cvd

Now that ClamAV is working on the sensor, it is time to build Snort 2.2.x to use the ClamAV preprocessor. Using the patch found at the following link:

http://sourceforge.net/tracker/download.php?group_id=78497&atid=553469&file_id=98150&aid=1011054

The Snort source code will have to be patched to use the preprocessor. (A very special thanks to William Metcalf for his help in getting this preprocessor to compile.) Once the patching is done, Snort will have to be resourced to make the changes before compile time.

root# patch -p0 < clamav-snortv-2.2.0.diff 

# Either run 

root# autoreconf -f 

# OR 

#root# libtoolize -f & aclocal & autoheader & automake & autoconf 

Now, compile Snort with the ClamAV preprocessor enabled, though you will have to compile Snort with all the ClamAV options. If all are not passed to the configure command, Snort does not compile the preprocessor correctly! Once configure is completed with no errors, make Snort as normal with make and make install.

root# ./configure --enable-clamav --with-clamav-includes=/usr/local/includes

--with-clamav-defdir=/usr/local/share/clamav --with-mysql (--enable-debug ?optional)

#

Finally, edit the snort.conf file to use the ClamAV preprocessor. The preprocessor has to be placed in the snort.conf file immediately after the stream4_reassemble preprocessor but before the http_inspect preprocessor, unless you want the preprocessor to detect test viruses such as EICAR only! One last suggestion would be to test the build in the local snort-2.2.x directory first, as in the following:

#"preprocessor clamav" 

#

root# ./src/snort -c etc/snort.conf -i eth0 -l log -T

If you don't get any errors such as "unknown preprocessor: ClamAV," your build was successful. Simply install and change as necessary to start detecting viruses and Trojans on your network(s).

Unfortunately, there aren't many hard stats yet on the load this places on Snort and the sensor. But for a safe bet, either place a new sensor with this enabled or use on a slow link for staging until you are comfortable using the patch.

Another thought is this will detect only the viruses passing by your sensor. If your organization is considering venturing down the path of intrusion prevention systems (IPS) and application firewalls, you might want to check out the new patch for snort-inline that drops the virus packets at the inline device.

Finally, there are several applications for this as seen earlier; the best to start out with is to demonstrate the risks exposed to your network(s) by remote/RAS/VPN users. This can help an organization weigh the risks of having those connections and the level of protection and assurance that needs to be applied to those connections. Another example would be to place it in front of a heavy-load mail server to demonstrate the cost of allowing spam email through your mail server. The possibility with this preprocessor is the limit of the team applying it and for what purpose.

See Also

Recipe 7.4

Snort-inline patches (http://www.sourceforge.net)

snort-devel mailing list for community support

Staying Legal