Detecting Viruses

Problem

How can I use Snort to detect viruses, Trojans, and worms?

Solution

One way to detect viruses is to use the following rule from 3.x Rules. This will detect when a box has been infected with a virus that spreads via a new email server.

alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"Possible virus Mailing";flags:A+;classtype:policy-violation;sid:11111; rev:1;)

Another rule that helps detect when email messages come through your mail server with "bad" attachments would be this one from the 2.2.0 ruleset. This rule detects 25 attachment types at once!

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content- Disposition|3A|"; nocase; pcre:"/filenames*=s*.*?.(?=[abcdehijlmnoprsvwx]) (a(d[ep]|s[dfx])|c ([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s [ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m [dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[x27x22 s]/iR "; classtype:suspicious-filename-detect; sid:721; rev:8;)

Discussion

Officially, the www.snort.org ruleset carries the previous rule only for detecting viruses. This is because they are more worried about other threats to a network. The other consideration is that there's no need to detect this type of traffic given the speed and scale of such devices as email gateway virus scanners, and also workstation and server antivirus products that even sweep running memory.

See Also

http://www.clamav.com open-source antivirus software

Chapter 7