Wednesday, March 22, 2006

virus and worms detection

Javier say:

First things first, Snort is an Intrusion Detection System, so it's more targeted towards finding attacks in the network targeted against internal systems. However, Snort does provide rules for common virus signatures (transmitted through e-mail, by inspecting the SMTP traffic) and worms (by detecting their activity on the network). Notice, however, that if you want to detect new worms you should not rely on the Snort rules provided in the current stable release, as they are quite out of date. You can download updated rules from snort.org. You might want to update it too using a backported package of a newer version than the one in stable [1]

A separate method for detecting worms in your network is to prove the systems you manage using a vulnerability assesment tool. You can use Nessus for that (provided in Debian). Again, make sure that you use an updated version (not the one from stable, backports are available [2])

Nessus provides some plugins to test for installed backdoors, trojans and known worms. However, a Nessus scan is quite intrusive (it might even kill some systems) so you should approach that possibility with care. You can update your Nessus server with new attack plugins using 'nessus-update-plugins'

A third way to do what you propose (detect trojans, worms, etc.) is to do statistical analysis of the traffic generated by your clients and the amount of traffic (bandwith usage). That kind of analysis can enable to nail down some nasty clients. Sometimes you need to go down to the physical level (i.e. to the switches to obtain port statistics) since some worms might be doing TCP/IP spoofing (IIRC Slammer did this). In order to do statistical analysis it is usually good to keep up with Internet trends, something you can do visiting the "Internet Storm Center" [3]. Some traffic (like constant outgoing traffic to port 135 against random or consecutive IP addresses) is usually an indicative of a worm spreading. Again, tools to do this include ntop, iptraf, darkstat (for statistical analysis) and ethereal, tcpdump, sniff, ettercap, nwatch adn sniffit (amongst others)

Finally, since many of the virus nowadays are mass-mailing, it might be worth analysing the amount of outbound e-mail sent by internal clients. Even if you do not add an antivirus tool to your outgoing SMTP relay server (some av mail-server tools have already been commented on the replies you got) analysis of the amount of traffic might be sufficient to pin-point virus activity. There are a number of tools to generate that data, based on what you use as input (firewall logs, mail server logs...)

Hmmm... I've rambled for enough time... Happy hunting! :-)

Javier

[1] The maintainer provided backports for 2.0.1-3 which are available at http://people.debian.org/~ssmeenk/snort-stable-i386/ (I've tested those). I also made a backport (2.0.6-1) which I have testd also and can be retrieved from http://people.debian.org/~jfs/snort/ Finally, you can find packages for 2.1.0 (I don't have experience on these) at http://www.backports.org/debian/dists/stable/snort/binary-i386/

[2] Official backports available at http://people.debian.org/~jfs/nessus

[3] http://isc.incidents.org/
great explaination for me!

No comments:

Post a Comment