[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    RE: Snort rules?
From:       "James C. Slora, Jr." <Jim.Slora () phra ! com>
Date:       2002-06-06 17:26:42
[Download RAW message or body]

Karl A. Krueger wrote:

>> Any Snort rules to detect the new Simile.D virus?
>Has anyone reported this "virus" in the wild?

No reports from the wild at all that I can find. It's a proof of concept or
"hype" virus so far. I agree it's not worth writing a rule until there is a
credible threat, because the rule probably won't catch whatever version
might eventually be wild.

> Maybe it's just that I haven't seen any credible explanation of an
> infection mechanism for "Linux files" [sic] for a virus propagating from
> a Windows host.

It's not really that much of a stretch. Infect a server, and you have your
path. File sharing programs provide a great way to spread over multiple
system types, regardless of the host OS. Warez and personal file servers
host win and lin files together. Web servers also can and do host any file
type. IRC clients can send files to lin or win systems.

A little social engineering could easily keep a vector of a hypothetical
worm going between OSs in addition to the fully automated vectors within
each OS.

My opinion, FWIW
- Jim


[prev in list] [next in list] [prev in thread] [next in thread]