[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian and viruses ...

Hello,

I am partialy solved this with snort rules. But I have problems with
automaticaly update this database.

> libclamav1 - Virus scanner library
> libclamav1-dev - Clam Antivirus library development files
> libfile-scan-perl - Perl lib to scan files for viruses
> f-prot-installer - F-Prot(tm) Antivirus installer package

hmm, any of its can sniff and scan network traffic on router[debian] ?
(in this lan there are no any mail serwer)
If I good think thats are support for mail server only, aren't it ?

> sorry I don't use an antivirus ...
> if you have windows PC probably it is best to install firewall on each
> PC and enable only few programs to go in/out ... or better install
> Debian on all this PCs

one and two is completly impossible.
I am an ISP administrator and havent access to each computer.
On computers in LAN there are "normal" people - private persons - no
workers of my "company".
I was thinking about tool which can do as network sniffer or sth like
that - which can analyze traffic going through router and looking for
wirus, trojans, etc... signatures
I think that snort is able to do this, but I can't find any databases
of wiruses signatures - so I am not sure that it is possible.

I already found some examples:
detect if somebody sending VBS in mails:
alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name=";
          content:".vbs"; nocase; sid:793; classtype:misc-activity; rev:3;)

detect Jolt attack:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; fragbits: M; dsize:408;
         classtype:attempted-dos; sid:268; rev:1;)

teardrop:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M;
   reference:cve,CAN-1999-0015; reference:url,www.cert.org/advisories/CA-1997-28.html;
    reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;)


there are attacs etc. but I want to get actualizable database of
wiruses.
ex. sasser:
The first signature detects the sasser ftp command on its backdoor port (9996):
alert tcp $HOME_NET any -> any 9996 ( msg:"Sasser ftp script to transfer up.exe";
    content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000000; rev:3;)
The second signature will trigger on the actual ftp download on port 5554:
alert tcp any any -> $HOME_NET 5554 ( msg:"Sasser binary transfer get up.exe"; content:"|
     5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000001; rev:1;)


or:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.a
[NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 
DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; classtype:misc- 
activity;rev:1;) 


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.b 
[NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 
68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; classtype:misc- 
activity;rev:1;) 


is there any site (program) which can automaticaly update of database
and find new wiruses, attacks etc ?
It must be for free (now).

--
Regards,
Martin.
Reply to: