Martin Overton, an expert malware analyst and malware/anti-malware consultant at IBM, wrote in an article involving IDS and Snort that “The use of an Intrusion Detection System (IDS) system can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers. An IDS is also useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.” Overton believes that most people don’t realize that IDS systems can be used against malware, viruses, worms, and Trojans, etc., and that Snort can detect malware by using various signature creation techniques. He defines IDS as “A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDS may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems to attempt to track hackers.”
In a previous educational brief overview we explored why Snort is considered to be the most successful and well-documented IDS engine in the market. To summarize, we discussed Snort’s scalability, flexibility in running on various operating systems, and the ability to perform actions in alerting users of suspicious network activities through the use of Snort signatures. Users can customize rule-sets as well as acquire signatures to detect the latest malware threats through the technological help of the vast Snort community. It can monitor inbound and outbound traffic and identify suspicious or malicious traffic, which may have somehow bypassed your firewall, or it could possibly be originating from inside your network as well.
Using an IDS to Catch Malware
There are three essential reasons why organizations should use an NIDS to catch malware:
Malware has become a network-borne and network-enabled threat
NIDS such as Snort is an effective network-scanning tool.
Securityweek Network in a recent article called “Sophisticated Malware is Crafted to Ensure it Remains Undetected by Antivirus Products” reported that the problem of stopping malware attacks and spread is that most enterprises are not prepared for dealing with malware at the network level. For years, anti-malware was seen as an end-point technology while intrusion prevention system was seen as a network technology and the two areas rarely overlapped. The simple truth is that the only way to be sure that we actually analyze all malware-related traffic is to perform full inspections of all traffic on all ports. Malware traffic often presents as unknown UDP or TCP since they often use their own custom protocols, which are then even wrapped in unknown encryption. By inspecting all traffic we can re-establish a baseline of what we expect to see in our networks, so that we can easily recognize and block suspicious traffic when it shows up.”
One of the important attacks that Snort detects is port scanning. Attackers commonly attempt to connect to other hosts and scan their ports as starters to other attacks. Using this technique, the attacker tries to identify the existence of hosts on a network or whether a particular service is in use. Such services include email, telnet, file transfer, HTTP, and DNS. Since a port is the Interface for each service within a computer, the information goes in and out of a computer through this port.
Furthermore, according to the Securityweek Network article, “Today the network is integral to all parts of the malware lifecycle, from infections via drive-by-downloads, digging deeper into a compromised network, and the command-and-control traffic used to coordinate the malware and ultimately exfiltrate data. If you can take away the ability for malware to communicate, you can effectively take away much of its power.”
Utilizing an IDS offers better overall multi-defense coverage for a network than just relying on one or more virus scanning tools.
Faster response from a vast community
Many Snort signatures are created before anti-virus companies have detection capabilities for a new breaking threat. Users of Snort can create or apply new or existing malware rules/signatures for use with Snort.
Snort uses a flexible rule-based language to describe traffic that it should collect or pass and a modular detection system. Snort’s job is to listen to your TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to your network and your computer systems. Rules are configured to take action. That action varies between passive responses (just logging it or sending an email) to active responses (doing something to stop the malicious activity from happening). Users can take advantage of applying new or existing rule-sets provided by the Snort community as well as writing and modifying their own rules. Complex rules can be written to identify just about any type of traffic going across the network and perform some action. Snort rules are continually being reviewed, modified, and improved to detect new and evolving security threats by the support of the Snort community. SC Magazine stated that the success of Snort is due to the fact that users in the open source security community worldwide can detect and respond to bugs and other security threats faster and more efficiently.
Furthermore, in our educational brief “How IDS/IPS Rulesets Can Help Combat Malware," we also explored the concept of IDS/IPS rulesets with a strong malware focus specifically from Emerging Threats. Emerging Threats is recognized around the world as an excellent source to acquire rule sets for detecting and preventing malicious code, scans, malware, and suspicious network activity. Emerging Threats Pro was born out of demand from existing users of the Emerging Threats.net open source Snort-based rules who wanted a comprehensive enterprise grade IDS/IPS ruleset with a strong malware focus. Most providers will issue a new ruleset once a week or once a month, but as Emerging Threats Pro takes in more than 50,000 malware samples a day and delivers 20-40 new signatures every day, it feels the need to issue a ruleset daily.
ET Pro rules are updated daily, so as soon as a threat appears a signature is in the console within hours.
For more information on Aanval’s Snort, Suricata, and Syslog Intrusion Detection, Correlation, and Threat Management, please contact (800) 921-2584 or email sales.group [at] tacticalflex.com.