March 23rd, 2004, 03:06 PM
Nice Snort Rule.......
Everyone who has used Snort knows that keeping up with the virus rules poses two problems. The first is that during a new virus onslaught it often takes days to come up with a viable signature by which time your really don't need to be warned every time a virus is inbound because you have already mitigated in some other way. The second is the sheer volume of changes that need to be made.
Some kind, not to mention smart, soul out there came up with a rule that detects the file name if the extension is potentially harmful. I see a couple of advantages here. Firstly, it's one rule.... That's it.... no list as long as your arm. Secondly, it doesn't rely upon a specific signature for an individual virus so you can see your activity really easily. Lastly, it's nice to have a log of any potentially dangerous file type that entered your network in case something bad happens.
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:6;)
That is the original rule as written and published..... Since my systems don't allow outbound SMTP I really don't need to worry about my network infecting others so I altered the rule and placed it on my external sensor so it "trips" on every inbound attachment regardless of whether the firewall, content scanner or AV scanner will remove it later so I can see if it works correctly. My alteration is the direction:-
alert tcp $EXTERNAL_NET any -> $HOME_NET 25
so that I see inbound rather than outbound. It certainly is setting off a lot of alerts with this placement and I will move it to the internal gateway sensor when I am happy it works at which point it will nicely inform me of any file of harmful type that has suceeded in entering my network.
If it makes me really "warm and fuzzy" I might alter the rule to try to pick up on ftp and http downloads too....... I need to dig into the PCRE stuff at some point.... might as well be now
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides