Detecting Viruses

Table of contents:

Problem

How can I use Snort to detect viruses, Trojans, and worms?

Solution

One way to detect viruses is to use the following rule from 3.x Rules. This will detect when a box has been infected with a virus that spreads via a new email server.


alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"Possible 

virus Mailing";flags:A+;classtype:policy-violation;sid:11111; rev:1;)

Another rule that helps detect when email messages come through your mail server with "bad" attachments would be this one from the 2.2.0 ruleset. This rule detects 25 attachment types at once!

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad 

file attachment"; flow:to_server,established; content:"Content-

Disposition|3A|"; nocase; pcre:"/filenames*=s*.*?.(?=[abcdehijlmnoprsvwx])

(a(d[ep]|s[dfx])|c

([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s

[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m

[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[x27x22

s]/iR

"; classtype:suspicious-filename-detect; sid:721; rev:8;)

 

Discussion

Officially, the www.snort.org ruleset carries the previous rule only for detecting viruses. This is because they are more worried about other threats to a network. The other consideration is that there's no need to detect this type of traffic given the speed and scale of such devices as email gateway virus scanners, and also workstation and server antivirus products that even sweep running memory.

See Also

http://www.clamav.com open-source antivirus software

Chapter 7

Detecting IM

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net