Snort Virus Hunter
Results 1 to 3 of 3

Thread: Snort Virus Hunter

  1. #1
    Junior Member
    Join Date
    Feb 2004
    Posts
    2

    Snort Virus Hunter

    Hello, all! Just wanted to tell everyone about a project I've been working on as well as seek a little help from the public. I've been trying to tweak a system that uses snort to find infected machines on our network. Currently we have 3 Snort machines monitoring various segments of our network. Things seem to be working well. The biggest problem is creating rules that can help track various viruses. Does anyone have any tricks regarding rule writing? Anyone have rules that are effective in finding infected machines? Any help would be appreciated!

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Ive posted these and probably more before so you could search this site
    but these ones are good for viruses

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Novarg(1)"; content: "JmpvZT9u";reference: url, http://www.cert.org/incident_notes/I...html;priority: 1; classtype: A suspicious filename has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Novarg(2)"; content: "am9lP25l";reference: url, http://www.cert.org/incident_notes/I...html;priority: 1; classtype: A suspicious filename has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Novarg(3)"; content: "b2U";content: "bmVv";reference: url, http://www.cert.org/incident_notes/I...html;priority: 1; classtype: A suspicious filename has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Novarg(non-MIME)"; content: "|26 6a 6f 65 3f 6e 65 6f 2f|";content: "|6f 6c 64|";reference: url, http://www.cert.org/incident_notes/I...tml;classtype: A Network Trojan has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(1)"; content: "VVBY";priority: 1; classtype: Executable code has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(2)"; content: "WDAA";priority: 1; classtype: Executable code has been detected; ruleset: Novag Rules; )

    alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"UPX File in Email(3)"; content: "UFgw";classtype: A Network Trojan has been detected; ruleset: Novag Rules; )
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    Junior Member
    Join Date
    Feb 2004
    Posts
    2

    Thx!

    Thank you so much for the rules. I actually have searched the board and grabbed as many rules as I could find, but more rules are welcome. Especially for sdbot. That bug sends out a ping storm that drives our core router nuts!

    Regarding the Novarg rules you posted, when I issue the snort -c /etc/snort/snort.conf, it complains when it gets to those rules. I guess it doesn't like the classtype and ruleset. I deleted the classtypes and rulesets for the time being. Do you know why snort would be unhappy with those?

    Thanks again!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •