|
IDS
mailing list archives
Re: Writing signatures for e-mail virus attachments
From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Mon, 6 Feb 2006 21:20:08 +0100
On Friday 03 February 2006 05:38, c_sek_har () yahoo co in wrote:
HI
How can I write a signature for a virus which is coming as an
attachment? The attachment may be done by using base64 or binhex encoding.
Shall I have to create signature for each type?
Has anybody implemented the idea of decoding the attachment (IDS) and
then parsing the file to look for some pattern?
snip
Some snort preprocessors work this way. There is a CPU/Memory penalty however.
If you want to create something very quick, i would use a packetdump of the
traffic, create the appropriate rules, and then worry about refining them by
doing a decode of the message and create signatures based on the decoded
message.
--
Lucien Fransman
irC2
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
