Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] bleedingmalware sigs and severity

from [Alex Butcher, ISC/ISYS] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity
Date: Thu, 30 Sep 2004 15:50:16 +0100


--On 27 September 2004 21:53 -0400 David Glosser <david_glosser@yahoo.com> wrote:

almost alll of the bleeding malware rules fall under the classification
"trojan activity", which is the highest severity.

I agree that cool web search and other nasties belong in the severity
classification. However, other "less destructive" malwares, such as
weather bug, also, by default, belong to that classification.


[snip]

We considered other alternatives, such as adding a
"bleeding-classification.config"
file but were concerned with breaking snort front-ends and reporting
programs,
and therefore believe that adding a priority tag would make the most
sense.

I can confirm that ACID is fine with new classifications. I use the following custom classifications locally:

config classification: malware-activity,Possible malware was detected,2
config classification: chat-protocol,Use of a chat protcol was detected,2
config classification: p2p-protocol,Use of a Peer-to-Peer protocol was detected,2
config classification: warez,Possible use of warez site was detected,2
config classification: webmail-application-activity,Use of a webmail application was detected,2
config classification: virus-code,Possible virus code was detected,1
config classification: multimedia-download,Possible download of multimedia content was detected,2
config classification: netbios-protocol-activity,NetBIOS activity was detected,2
config classification: netbios-attack,Possible attack on NetBIOS was detected,1

I then use oinkmaster's 'modifysid' function to re-classify some rules automatically, based on their 'msg' tag:

modifysid * "([mM][aA][lL][wW][aA][rR][eE].*)classtype:([^;]*);(.*)" | "$1classtype:malware-activity;$3"
modifysid * "([sS][pP][yY][wW][aA][rR][eE].*)classtype:([^;]*);(.*)" | "$1classtype:malware-activity;$3"
modifysid * "([pP]2[pP].*)classtype:([^;]*);(.*)" | "$1classtype:p2p-protocol;$3"
modifysid * "([cC][hH][aA][tT].*)classtype:([^;]*);(.*)" | "$1classtype:chat-protocol;$3"
modifysid * "([wA][rR][eE][zZ].*)classtype:([^;]*);(.*)" | "$1classtype:warez;$3"
modifysid * "([hH][oO][tT][mM][aA][iI][lL].*)classtype:([^;]*);(.*)" | "$1classtype:webmail-application-activity;$3"
modifysid * "([yY][aA][hH][oO][oO].*[mM][aA][iI][lL].*)classtype:([^;]*);(.*)" | "$1classtype:webmail-application-activity;$3"
modifysid * "([aA][oO][lL].*[mM][aA][iI][lL].*)classtype:([^;]*);(.*)" | "$1classtype:webmail-application-activity;$3"
modifysid * "([vV][iI][rR][uU][sS].*)classtype:([^;]*);(.*)" | "$1classtype:virus-code;$3"
modifysid * "([mM][uU][lL][tT][iI][mM][eE][dD][iI][aA].*)classtype:([^;]*);(.*)" | "$1classtype:multimedia-download;$3"
modifysid * "(msg:\"[nN][eE][tT][bB][iI][oO][sS].*[aA][cC][cC][eE][sS][sS].*)classtype:([^;]*);(.*)" | "$1classtype:netbios-protocol-activity;$3"
modifysid * "(msg:\"[nN][eE][tT][bB][iI][oO][sS].*[aA][tT][tT][eE][mM][pP][tT].*)classtype:([^;]*);(.*)" | "$1classtype:netbios-attack;$3"
modifysid * "(msg:\"[nN][eE][tT][bB][iI][oO][sS].*nimda.*)classtype:([^;]*);(.*)" | "$1classtype:netbios-attack;$3"

The following is what we agreed on. Please email us with
comments/questions:

-Please use a priority tag when submitting a new bleeding-malware rule.
Please
use a default level of  "2" if  the malware does not meet the "cool web
search" standard.
If a new rule does not contain an explicit priority tag, Matt will add the
default level of "2".
[Sorry to give you more work, Matt ;) ]

-All existing malware rules will be assigned an explicity priority tag,
with "2"  as the default.

Explicit priority tags would be a minor PITA - I'd need to write some oinkmaster rules to remove them. I respectfully suggest that you investigate further if any frontends/analy1sis tools break if they encounter custom classifications. Regardless, my opinion is that if they do, they need to be fixed anyway.

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Help Me, Javier Guamán
Next by Date:  [Snort-sigs] Possible Falsy, Goodson, Jacob
Previous by Thread:  Re: [Snort-sigs] bleedingmalware sigs and severity, Matt Jonkman
Next by Thread:  [Snort-sigs] bleedingmalware sigs and severity, Caracal GH
Indexes:  [Date] [Thread] [Top] [All Lists]