On Friday 03 February 2006 05:38, [EMAIL PROTECTED] wrote: > HI > > How can I write a signature for a virus which is coming as an > attachment? The attachment may be done by using base64 or binhex encoding. > Shall I have to create signature for each type? > > Has anybody implemented the idea of decoding the attachment (IDS) and > then parsing the file to look for some pattern?
snip Some snort preprocessors work this way. There is a CPU/Memory penalty however. If you want to create something very quick, i would use a packetdump of the traffic, create the appropriate rules, and then worry about refining them by doing a decode of the message and create signatures based on the decoded message. -- Lucien Fransman irC2 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
