[Intrusions] Assessing Your Malware Exposure with Snort
Brian
bmc at snort.org
Thu Mar 10 17:46:41 GMT 2005
> I have written a few thousand Snort rules that are intended
> to detect successful HTTP communication with hosts known to
> be evil. They look for domain names in the Host string so
> they are not subject to evasion by changing IP addresses.
>
> If you would like to give them a try you can grab them from
> http://www.kgb.to/malware.html .
Interesting.
The meat of one of your rules is:
flow:established;
pcre:"/(Host\:)\s[a-zA-Z0-9.-]+(\.whenyousearch.com\r\n)/";
Your rules are going to be slow. Here are the few issues I see so
far:
* Your regular expression is matching when you don't need to, causing
pcre to do un-needed work.
* By not using content, you are not making use of the multi-pattern
match engine in Snort.
* Since all of the rules I looked at are looking for traffic going
towards the web server, you should limit your flow to
"to_server" as well.
My tweaked "for speed" meat of the rule version is:
flow:established,to_server; content:"whenyousearch.com"; nocase;
pcre:"/^Host\x3a\s*[a-z0-0\.-]+\.whenyousearch.com/smi";
Brian Caswell
More information about the Intrusions
mailing list