Problem
My company is overrun by malware. How can we track users who have malware and where it's installed?
Solution
There is not easy way to detect all malware. However, you can use several methods to try to identify the traffic.
There are several methods with which to track these types of connections.
log $HOME_NET any -> $DNS_SERVERS 53 (msg:"DNS query"; content:"A "; content:"PTR "; logto: dnsqueries.log; sid:10501; rev:1;)
Log $HOME_NET any -> any $HTTP_PORTS (msg:"HTTP USER AGENT LOG"; flow: from_client; content:"user-agent"; logto:useragents.log; classtype: recon; sid:10502; rev:1;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" Gator Spyware Download"; uricontent:"/gatorcme/"; nocase; classtype: bad-unknown; sid:10556; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Gator browser in use"; content:"User-agent:"; content:"Gator"; nocase; flow:from_client,established; classtype:bad-unknown; sid:10557; rev:1;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Gator client usage"; content:"Host: updateserver.gator.com"; flow: to_server, established; classtype: bad-unknown; sid:10558; rev:1;)
Discussion
Gator is only one piece of malware that might be running across your networks. The key to detecting and identifying malware is the same as with other types of traffic. Find some common feature of the traffic, such as a word or phrase, or even the HEX of the packets. Then zero in on that and determine some specifics of the traffic that you can repeat with as much accuracy as possible. The other key is to watch your web traffic very closely. User-agent or browser identification is a great method for searching through the logs to find strange connections from your network. Another suggestion is to use some of Snort's other tools to find hosts that are generating more traffic than normal or simply talkative hosts. Talkative hosts are usually an indication of a problem, unless they are servers.
Another suggestion is to use the malware ruleset from http://www.bleedingsnort.com. This entire ruleset just targets malware on a network. These rulesthough you use them at your own riskmay help you figure out just how much of your total network traffic is used by malware/adware/spyware software. Finally, detecting this type of traffic is really a job for your web proxy server and your DNS server. When you use blocks or denies to hamper this type of traffic, you'll have a more secure network and visibly better performance.
See Also
http://www.squidguard.org for the ideas about blocking malware
http://www.bleedingsnort.com for some malware rules
Detecting Viruses |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index