[unisog] Bleeding Snort rules

Eric Peters epeters at pcthome.com
Thu Aug 26 18:26:16 GMT 2004



Will Metcalf has put together a ClamAV preprocessor module for Snort, to
alert on network traffic containing a virus signature: 

http://sourceforge.net/mailarchive/forum.php?thread_id=5338848&forum_id=7142

I have been using it for a couple of weeks and works pretty darn well.

Cheers,
Eric





-----Original Message-----
From: Anderson Johnston [mailto:andy at umbc.edu] 
Sent: Thursday, August 26, 2004 10:43 AM
To: unisog at sans.org
Subject: [unisog] Bleeding Snort rules


We're putting together an active response NIDS based on Snort for our
residential network.  An alert on any rule will trigger a block on a
user's authentication until they contact us.  We're trying to isolate
rules with a very low chance of false positives - mainly obvious
indications of known virus/worm infection and/or clearly hostile activity
from the user's system.


Does anyone have experience with the virus/worm rules at
http://www.bleedingsnort.com/bleeding.rules?  In particular, are the rules
like:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09
85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.wo
rm.html;
classtype:misc-activity; sid:2001057; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64
6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.wo
rm.html;
classtype:misc-activity; sid:2001056; rev:1;)


pretty reliable?


							Thanks,
							- Andy

----------------------------------------------------------------------------
--
** Andy Johnston (andy at umbc.edu)          *
**
** IT Security                            * PGP key:(afj2002) 4096/8448B056
**
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A
**
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56
**
----------------------------------------------------------------------------
--
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20040826/ed613921/attachment.htm


More information about the unisog mailing list