Detecting Viruses
Problem
How can I use Snort to detect viruses, Trojans, and worms?
Solution
One way to detect viruses is to use the following rule from 3.x Rules. This will detect when a box has been infected with a virus that spreads via a new email server.
alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"Possible virus Mailing";flags:A+;classtype:policy-violation;sid:11111; rev:1;)
Another rule that helps detect when email messages come through your mail server with "bad" attachments would be this one from the 2.2.0 ruleset. This rule detects 25 attachment types at once!
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content- Disposition|3A|"; nocase; pcre:"/filenames*=s*.*?.(?=[abcdehijlmnoprsvwx]) (a(d[ep]|s[dfx])|c ([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s [ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m [dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[x27x22 s]/iR "; classtype:suspicious-filename-detect; sid:721; rev:8;)
Discussion
Officially, the www.snort.org ruleset carries the previous rule only for detecting viruses. This is because they are more worried about other threats to a network. The other consideration is that there's no need to detect this type of traffic given the speed and scale of such devices as email gateway virus scanners, and also workstation and server antivirus products that even sweep running memory.
See Also
http://www.clamav.com open-source antivirus software
Chapter 7
Detecting IM
|