Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] bleedingmalware sigs and severity

from [Matt Jonkman] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity
Date: Mon, 27 Sep 2004 22:21:01 -0500
David is correct, we will be putting priorities into all of the bleeding sigs, starting with the malware set. David has graciously volunteered to do the research to get them all prioritized. (Most of the bleeding admins don't use an analysis tool that pays attention to priorities, so we hadn't required them)

So going forward, if you post a rule try to prioritize it, or give us some idea of what the issue is so we can set one.

Thanks

Matt

David Glosser wrote: 
I activated the bleeding malware malware rules and discovered, to no one's
surprise,  that
some of my users were "infested". However, almost alll of the bleeding
malware rules
fall under the classification "trojan activity", which is the highest
severity.

I agree that cool web search and other nasties belong in the severity
classification. However, other "less destructive" malwares, such as weather
bug, also, by default, belong to that classification.

I did some googling to find out how Snort classifies and prioritizes rules
and found (duh!)
that the snort manual was the best resource. I actually read the manual and
found
that  Snort allows priority tags of 1-10 but the classification.config file
actually uses priority levels
classifications of 1-4 ( 1= most severe; 4=least severe, not actually used).
Therefore,
the worst stuff ends up priority 1 and "informational" stuff as priority 3.

I emailed Matt off-list, asking him if he would consider adding a "priority"
tag
to the bleeding malware rules, which would lower the priority for some of
the malware alerts
(for example, weatherbug to 2).  This would allow admins to target the
really nasty
malwares (and other attacks) first, then move onto the "less
destructive"ones.

We considered other alternatives, such as adding a
"bleeding-classification.config"
file but were concerned with breaking snort front-ends and reporting
programs,
and therefore believe that adding a priority tag would make the most sense.

The following is what we agreed on. Please email us with comments/questions:

-Please use a priority tag when submitting a new bleeding-malware rule.
Please
use a default level of  "2" if  the malware does not meet the "cool web
search" standard.
If a new rule does not contain an explicit priority tag, Matt will add the
default level of "2".
[Sorry to give you more work, Matt ;) ]

-All existing malware rules will be assigned an explicity priority tag, with
"2"  as the default.
I will be going through the bleeding malware rules and will try to correlate
them
with  objective  rating attempts (Pest Patrol, Symantec) which rate malware
in terms of destructiveness,
difficulty to remove,  or "crud" level  (number of registry entries). We
agreed that the worst offenders
(such as CWS)  should be given a priority tag of 1 and the rest will stay at
2.

-Please email me if you believe a malware rule or group of rules should be
given a priority of "1".

Again, comments are appreciated.

Thanks in advance
David Glosser
david_glosser@yahoo.com

PS In closing, I want to thank Matt  for his hard work in hosting and
administering the bleedingsnort sigs.




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Next by Date:  [Snort-sigs] GDI Sig, Matt Jonkman
Previous by Thread:  [Snort-sigs] bleedingmalware sigs and severity, David Glosser
Next by Thread:  Re: [Snort-sigs] bleedingmalware sigs and severity, Burak DAYIOGLU
Indexes:  [Date] [Thread] [Top] [All Lists]