Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Writing signatures for e-mail virus attachments

Re: Writing signatures for e-mail virus attachments

From: lucien Fransman <lucien.fransman_at_irc2.nl>
Date: Mon, 6 Feb 2006 21:20:08 +0100

On Friday 03 February 2006 05:38, c_sek_har_at_yahoo.co.in wrote:
> HI
>
> How can I write a signature for a virus which is coming as an
> attachment? The attachment may be done by using base64 or binhex encoding.
> Shall I have to create signature for each type?
>
> Has anybody implemented the idea of decoding the attachment (IDS) and
> then parsing the file to look for some pattern?

snip

Some snort preprocessors work this way. There is a CPU/Memory penalty however.
If you want to create something very quick, i would use a packetdump of the
traffic, create the appropriate rules, and then worry about refining them by
doing a decode of the message and create signatures based on the decoded
message. 

--
Lucien Fransman
irC2
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Received on Feb 07 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos