Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

debian and viruses ...

0 views
Skip to first unread message

Marcin

unread,
May 19, 2004, 3:20:09 PM5/19/04
to

Hello,

I am trying to find solution for finding wiruses in my LAN networks.
I am administrator of ISP router (generaly Debian of course), and in
LAN there are litle "storm" of wiruses, trojans, spammers, etc "shits" ...

Is any possible method to find them ?
Any debian tools ?

I was thinking about snort - it is possible to configure it to detect
this traffic ? Are there anywhere examples (or ready databases) of
wirus signatures, rules, etc ?

--
Regards,
Martin.


--
To UNSUBSCRIBE, email to debian-secu...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Phillip Hofmeister

unread,
May 19, 2004, 3:30:18 PM5/19/04
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 19 May 2004 at 03:19:46PM -0400, Marcin wrote:
> Hello,

Greetings!

> I am trying to find solution for finding wiruses in my LAN networks.
> I am administrator of ISP router (generaly Debian of course), and in
> LAN there are litle "storm" of wiruses, trojans, spammers, etc "shits" ...
>
> Is any possible method to find them ?
> Any debian tools ?
>
> I was thinking about snort - it is possible to configure it to detect
> this traffic ? Are there anywhere examples (or ready databases) of
> wirus signatures, rules, etc ?

A few tools:

Spam:
bogofilter
spamassassin

Virus:
amavisd-new and clamav (or your favorite supported antivirus software,
clam just happens to be O/S and free...)

HTH,

- --
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAq7UuS3Jybf3L5MQRAlWJAJ9AzPGTjElGXfai0EqgE1YjpFuBWwCeI+jt
dYTLJ8/q4VgX27UJnQD5gJ8=
=kLDX
-----END PGP SIGNATURE-----

Davide Prina

unread,
May 19, 2004, 3:40:08 PM5/19/04
to
Marcin ha scritto:

> Hello,
>
> I am trying to find solution for finding wiruses in my LAN networks.
> I am administrator of ISP router (generaly Debian of course), and in
> LAN there are litle "storm" of wiruses, trojans, spammers, etc "shits" ...
>
> Is any possible method to find them ?
> Any debian tools ?
>
> I was thinking about snort - it is possible to configure it to detect
> this traffic ? Are there anywhere examples (or ready databases) of
> wirus signatures, rules, etc ?
>
> --
> Regards,
> Martin.
>
>

have you try: "# apt-cache search virus"?

Ciao
Davide
--
Linux User: 302090: http://counter.li.org
Prodotti consigliati:
Sistema operativo: Debian: http://www.it.debian.org
Strumenti per l'ufficio: OpenOffice.org: http://it.openoffice.org
Database: PostgreSQL: http://www.postgres.org
Browser: FireFox: http://texturizer.net/firefox
Client di posta: Thunderbird: http://texturizer.net/thunderbird
Enciclopedia: wikipedia: http://it.wikipedia.org
--
Non autorizzo la memorizzazione del mio indirizzo di posta a chi usa
outlook: non voglio essere invaso da spam


--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:

Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=&d=19-5

Marcin

unread,
May 19, 2004, 4:40:13 PM5/19/04
to
Hello,

> have you try: "# apt-cache search virus"?

yes, of course.

$ apt-cache search virus
gnome-xbill - Fight the infection.
mailscanner - An email virus scanner and spam tagger.
renattach - Rename attachments on the fly.
sanitizer - The Anomy Mail Sanitizer - an email virus scanner
xbill - Get rid of those Wingdows Viruses!
amavis-postfix - Interface between MTA and virus scanner.

all of them are in case - spam, wiruses etc filtering on mail-serwer.
But the LAN with wiruses are only like this:

LAN (lots of strange people)------------[router,NAT,firewall,squid]-------my provider.
(whos do not understand what is trojan or wirus,
using windows XP and others ...)

mail serwer of course have spamassasin, amavis, fprot, header and body
checks and more more other.
The problem is in only in topology "picture" above.
Thats why it is so big problem.

> bogofilter
> spamassassin

the same. All of them are for mail server.

--
Regards,
Marcin.

Davide Prina

unread,
May 19, 2004, 5:50:11 PM5/19/04
to
Marcin ha scritto:

> Hello,
>
>
>>have you try: "# apt-cache search virus"?
>
>
> yes, of course.
>
> $ apt-cache search virus
> gnome-xbill - Fight the infection.
> mailscanner - An email virus scanner and spam tagger.
> renattach - Rename attachments on the fly.
> sanitizer - The Anomy Mail Sanitizer - an email virus scanner
> xbill - Get rid of those Wingdows Viruses!
> amavis-postfix - Interface between MTA and virus scanner.
>
> all of them are in case - spam, wiruses etc filtering on mail-serwer.
> But the LAN with wiruses are only like this:

but I have also:

libclamav1 - Virus scanner library
libclamav1-dev - Clam Antivirus library development files
libfile-scan-perl - Perl lib to scan files for viruses
f-prot-installer - F-Prot(tm) Antivirus installer package

sorry I don't use an antivirus ...
if you have windows PC probably it is best to install firewall on each
PC and enable only few programs to go in/out ... or better install
Debian on all this PCs

Ciao
Davide

> LAN (lots of strange people)------------[router,NAT,firewall,squid]-------my provider.
> (whos do not understand what is trojan or wirus,
> using windows XP and others ...)
>
> mail serwer of course have spamassasin, amavis, fprot, header and body
> checks and more more other.
> The problem is in only in topology "picture" above.
> Thats why it is so big problem.
>
>
>>bogofilter
>>spamassassin
>
>
> the same. All of them are for mail server.
>
> --
> Regards,
> Marcin.
>
>


--

Linux User: 302090: http://counter.li.org
Prodotti consigliati:
Sistema operativo: Debian: http://www.it.debian.org
Strumenti per l'ufficio: OpenOffice.org: http://it.openoffice.org
Database: PostgreSQL: http://www.postgres.org
Browser: FireFox: http://texturizer.net/firefox
Client di posta: Thunderbird: http://texturizer.net/thunderbird
Enciclopedia: wikipedia: http://it.wikipedia.org
--
Non autorizzo la memorizzazione del mio indirizzo di posta a chi usa
outlook: non voglio essere invaso da spam


--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:

Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=&d=19-5

Javier Fernández-Sanguino Peña

unread,
May 19, 2004, 7:10:04 PM5/19/04
to
On Wed, May 19, 2004 at 09:19:46PM +0200, Marcin wrote:
>
> Hello,
>
> I am trying to find solution for finding wiruses in my LAN networks.
> I am administrator of ISP router (generaly Debian of course), and in
> LAN there are litle "storm" of wiruses, trojans, spammers, etc "shits" ...

Good luck, some of those might be a little tricky to find.

> Is any possible method to find them ?

All of them? Probably the best thing is to install anti-virus tools on the
clients, effectively cleaning them of virii (maybe even reinstalling them).
However, from your description of your job (you are managing the
network, right?) you can't probably do it.

> Any debian tools ?
>
> I was thinking about snort - it is possible to configure it to detect
> this traffic ? Are there anywhere examples (or ready databases) of
> wirus signatures, rules, etc ?

Ok. First things first, Snort is an Intrusion Detection System, so it's
more targeted towards finding attacks in the network targeted against
internal systems. However, Snort does provide rules for common virus
signatures (transmitted through e-mail, by inspecting the SMTP traffic) and
worms (by detecting their activity on the network). Notice, however, that
if you want to detect new worms you should not rely on the Snort rules
provided in the current stable release, as they are quite out of date. You
can download updated rules from snort.org. You might want to update it too
using a backported package of a newer version than the one in stable [1]

A separate method for detecting worms in your network is to prove the
systems you manage using a vulnerability assesment tool. You can use
Nessus for that (provided in Debian). Again, make sure that you use an
updated version (not the one from stable, backports are available [2])
Nessus provides some plugins to test for installed backdoors, trojans and
known worms. However, a Nessus scan is quite intrusive (it might even kill
some systems) so you should approach that possibility with care. You can
update your Nessus server with new attack plugins using
'nessus-update-plugins'

A third way to do what you propose (detect trojans, worms, etc.) is to do
statistical analysis of the traffic generated by your clients and the
amount of traffic (bandwith usage). That kind of analysis can enable to
nail down some nasty clients. Sometimes you need to go down to the physical
level (i.e. to the switches to obtain port statistics) since some worms
might be doing TCP/IP spoofing (IIRC Slammer did this). In order to do
statistical analysis it is usually good to keep up with Internet trends,
something you can do visiting the "Internet Storm Center" [3]. Some traffic
(like constant outgoing traffic to port 135 against random or consecutive
IP addresses) is usually an indicative of a worm spreading. Again, tools to
do this include ntop, iptraf, darkstat (for statistical analysis) and
ethereal, tcpdump, sniff, ettercap, nwatch adn sniffit (amongst others)

Finally, since many of the virus nowadays are mass-mailing, it might be
worth analysing the amount of outbound e-mail sent by internal clients.
Even if you do not add an antivirus tool to your outgoing SMTP relay server
(some av mail-server tools have already been commented on the replies you
got) analysis of the amount of traffic might be sufficient to pin-point
virus activity. There are a number of tools to generate that data, based on
what you use as input (firewall logs, mail server logs...)

Hmmm... I've rambled for enough time... Happy hunting! :-)

Javier


[1] The maintainer provided backports for 2.0.1-3 which are available at
http://people.debian.org/~ssmeenk/snort-stable-i386/ (I've tested those). I
also made a backport (2.0.6-1) which I have testd also and can be retrieved
from http://people.debian.org/~jfs/snort/ Finally, you can find packages
for 2.1.0 (I don't have experience on these) at
http://www.backports.org/debian/dists/stable/snort/binary-i386/

[2] Official backports available at
http://people.debian.org/~jfs/nessus

[3] http://isc.incidents.org/

signature.asc

Marcin

unread,
May 19, 2004, 7:10:07 PM5/19/04
to

Hello,

I am partialy solved this with snort rules. But I have problems with
automaticaly update this database.

> libclamav1 - Virus scanner library
> libclamav1-dev - Clam Antivirus library development files
> libfile-scan-perl - Perl lib to scan files for viruses
> f-prot-installer - F-Prot(tm) Antivirus installer package

hmm, any of its can sniff and scan network traffic on router[debian] ?
(in this lan there are no any mail serwer)
If I good think thats are support for mail server only, aren't it ?

> sorry I don't use an antivirus ...
> if you have windows PC probably it is best to install firewall on each
> PC and enable only few programs to go in/out ... or better install
> Debian on all this PCs

one and two is completly impossible.
I am an ISP administrator and havent access to each computer.
On computers in LAN there are "normal" people - private persons - no
workers of my "company".
I was thinking about tool which can do as network sniffer or sth like
that - which can analyze traffic going through router and looking for
wirus, trojans, etc... signatures
I think that snort is able to do this, but I can't find any databases
of wiruses signatures - so I am not sure that it is possible.

I already found some examples:
detect if somebody sending VBS in mails:
alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name=";
content:".vbs"; nocase; sid:793; classtype:misc-activity; rev:3;)

detect Jolt attack:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; fragbits: M; dsize:408;
classtype:attempted-dos; sid:268; rev:1;)

teardrop:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M;
reference:cve,CAN-1999-0015; reference:url,www.cert.org/advisories/CA-1997-28.html;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;)


there are attacs etc. but I want to get actualizable database of
wiruses.
ex. sasser:
The first signature detects the sasser ftp command on its backdoor port (9996):
alert tcp $HOME_NET any -> any 9996 ( msg:"Sasser ftp script to transfer up.exe";
content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000000; rev:3;)
The second signature will trigger on the actual ftp download on port 5554:
alert tcp any any -> $HOME_NET 5554 ( msg:"Sasser binary transfer get up.exe"; content:"|
5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000001; rev:1;)


or:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.a
[NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40
DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; classtype:misc-
activity;rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.b
[NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04
68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; classtype:misc-
activity;rev:1;)


is there any site (program) which can automaticaly update of database
and find new wiruses, attacks etc ?
It must be for free (now).

--
Regards,
Martin.

Marcin

unread,
May 19, 2004, 8:50:06 PM5/19/04
to

Hello,

Lot, lot of thanks for all, and specially to:
Javier Fernández-Sanguino Peña <j...@computer.org>

That was all what I want to understand :)
You realized me much more than I expected :)
Thank you again for you time, patience and very good explanations :)

--
Cheers,

0 new messages