[Tfug] Snort and detecting Network Worms
Brian Murphy
murphy+tfug at email.arizona.edu
Thu Jul 29 17:11:30 MST 2004
Quoting elemint at theriver.com:
> What is the best way to have snort detect network worms, I know this
> depends on the virus, and then once detected send an email stating that.
Like virus detection, snort needs to have a signature for the worm in
question.
> Is the only method to create a custom rule depending on the virus or
> does snort have some rules built in that will detect some netowrk worms
> or all?
Snort does have some worm detection in the out-of-the-box rules. The
best way to stay current is to use something like oinkmaster in a cron
job to grab daily ruleset updates from http://www.snort.org/dl/rules.
Use "grep -i keyword *" in your ruleset directory to help find what
you're looking for. Note that a lot of worm alerts have been moved to
the deleted.rules file.
> For example if you have a firewall and want to detect when a network
> worm is active on one side of the frewall is snort the way to do it?
Yes, snort can do that. In a comprehensive setup, one would use a snort
sensor on each side of the firewall to get a picture of what you are
being hit with and what is coming thru the firewall. The key is to be
mindful of where snort sits in the network to make sure it sees the
traffic that you're trying to detect.
Brian
The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.
More information about the tfug
mailing list