[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian and viruses ...

On Wed, May 19, 2004 at 09:19:46PM +0200, Marcin wrote:
> Hello,
> I am trying to find solution for finding wiruses in my LAN networks.
> I am administrator of ISP router (generaly Debian of course), and in
> LAN there are litle "storm" of wiruses, trojans, spammers, etc "shits" ...

Good luck, some of those might be a little tricky to find.

> Is any possible method to find them ?

All of them? Probably the best thing is to install anti-virus tools on the
clients, effectively cleaning them of virii (maybe even reinstalling them). 
However, from your description of your job (you are managing the 
network, right?) you can't probably do it.

> Any debian tools ?
> I was thinking about snort - it is possible to configure it to detect
> this traffic ? Are there anywhere examples (or ready databases) of
> wirus signatures, rules, etc ?

Ok. First things first, Snort is an Intrusion Detection System, so it's
more targeted towards finding attacks in the network targeted against
internal systems. However, Snort does provide rules for common virus
signatures (transmitted through e-mail, by inspecting the SMTP traffic) and
worms (by detecting their activity on the network). Notice, however, that
if you want to detect new worms you should not rely on the Snort rules
provided in the current stable release, as they are quite out of date.  You
can download updated rules from snort.org. You might want to update it too
using a backported package of a newer version than the one in stable [1]

A separate method for detecting worms in your network is to prove the 
systems you manage using a vulnerability assesment tool. You can use 
Nessus for that (provided in Debian). Again, make sure that you use an 
updated version (not the one from stable, backports are available [2])
Nessus provides some plugins to test for installed backdoors, trojans and 
known worms. However, a Nessus scan is quite intrusive (it might even kill 
some systems) so you should approach that possibility with care. You can 
update your Nessus server with new attack plugins using 

A third way to do what you propose (detect trojans, worms, etc.) is to do
statistical analysis of the traffic generated by your clients and the
amount of traffic (bandwith usage). That kind of analysis can enable to
nail down some nasty clients. Sometimes you need to go down to the physical
level (i.e. to the switches to obtain port statistics) since some worms
might be doing TCP/IP spoofing (IIRC Slammer did this). In order to do
statistical analysis it is usually good to keep up with Internet trends,
something you can do visiting the "Internet Storm Center" [3]. Some traffic
(like constant outgoing traffic to port 135 against random or consecutive
IP addresses) is usually an indicative of a worm spreading. Again, tools to
do this include ntop, iptraf, darkstat (for statistical analysis) and
ethereal, tcpdump, sniff, ettercap, nwatch adn sniffit (amongst others)

Finally, since many of the virus nowadays are mass-mailing, it might be 
worth analysing the amount of outbound e-mail sent by internal clients. 
Even if you do not add an antivirus tool to your outgoing SMTP relay server 
(some av mail-server tools have already been commented on the replies you 
got) analysis of the amount of traffic might be sufficient to pin-point 
virus activity. There are a number of tools to generate that data, based on 
what you use as input (firewall logs, mail server logs...)

Hmmm... I've rambled for enough time... Happy hunting! :-)


[1] The maintainer provided backports for 2.0.1-3 which are available at
http://people.debian.org/~ssmeenk/snort-stable-i386/ (I've tested those). I
also made a backport (2.0.6-1) which I have testd also and can be retrieved
from http://people.debian.org/~jfs/snort/ Finally, you can find packages
for 2.1.0 (I don't have experience on these) at

[2] Official backports available at 

[3] http://isc.incidents.org/

Attachment: signature.asc
Description: Digital signature

Reply to: