Re: [Snort-sigs] writing signatures from isolated viruses

From: pieter claassen <pieter(at)countersnipe.com>
Date: Thu Mar 25 2004 - 18:26:30 EST

Find sections that stay the same and that you can use to create a signature from.

Don't worry about mime encoding the file, just sniff the wire and look for things that stay the same during a mail exchange of the offending piece of mail. Use Ethereal or something.

Watch out that the signature doesn't match itself (code a bit of the content in binary).

You can look into using IPS to drop the packets that match. However, be careful with SMTP's reaction to dropped packets, reject might be more suitable. Even better if you can get your mailer to drop matches (Exim can do this)

Pieter

On Thu, 2004-03-25 at 23:06, Cory Hollingsworth wrote:
> I'm still relatively new to Snort, so I am uncertain if this is possible. At my place of work we use Interscan Virus Wall on an SMTP gateway to filter out viruses. However we tend to become infected often before pattern files are available from Trend.

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Mar 25 18:59:36 2004