Worm signature in snort&antivirus

[___\(¯`·.¸Fabrizio¸.·´¯\)____]

Hi,
I notice a difference among worm signature used by antivirus and worm
signature used by snort.

For example: the antivirus signature for sober.k is
8100000000646f635f646174612d746578742e7478742020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202e706966504b0506
while the sober.k signature used by snort is "content":
UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICAgICAg
I wonder why there's such a difference.

Thank you,
Fabrizio

 

[me]

Hi,
I notice a difference among worm signature used by
antivirus and worm signature used by snort.

For example: the antivirus signature for sober.k is
8100000000646f635f646174612d746578742e7478742020202020202020
202020202020202020202020202020202020202020202020202020202020
202020202020202e706966504b0506 while the sober.k signature
used by snort is "content":
UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50
eHQgICAgICAgICAg I wonder why there's such a difference.

Thank you,
Fabrizio

Do you you think that the answers here will be substantially
different than those in a.c.v?

J

 

[Duane Arnold]

Hi,
I notice a difference among worm signature used by antivirus and worm
signature used by snort.

For example: the antivirus signature for sober.k is
8100000000646f635f646174612d746578742e747874202020202020202020202020202
0202020202020202020202020202020202020202020202020202020202020202e706966
504b0506 while the sober.k signature used by snort is "content":
UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICA
gICAg I wonder why there's such a difference.

Thank you,
Fabrizio

Although I have not given that much attention to AV software and its
signature detection methods, I have given attention to IDS software such a
Snort and BlackIce as to how they work. I would say that the analysis of
packets coming in network traffic may be different than what's being done
to detect them using signature detection at the machine level.

http://www.securityfocus.com/infocus/1663

I would like to see the signature for sober.k in BlackIce but the desktop
version of BlackIce has the signatures buried in a dll. The BlackIce server
version and the ISS enterprise solutions using the BlackIce engine do have
the signature file that can be manipulated by the admin.

The signatures maybe different between BlackIce and Snort too.

Duane

 

[___\(¯`·.¸Fabrizio¸.·´¯\)____]

Well that's what I don't understand: why different vendors use different
signature.

Fabrizio

 

[kurt wismer]

Well that's what I don't understand: why different vendors use different
signature.

they have different detection technology... different products look for
things in different ways, and that often necessitates using different
encoding or focusing on different identifying characteristics...

i couldn't tell an insect how to find a my shoe because the way i
experience the world is entirely different from the way an insect
experiences it... different detection products also examine things in
sometimes profoundly different ways...

 

[Duane Arnold]

Well that's what I don't understand: why different vendors use different
signature.

Well there is always the human element in analysis, design and coding of a
program and what a particular program is designed to do by specifications
given and implemented in a solution. Even though the programs(s) may be
doing the same basic thing, it doesn't mean they are doing it in the same
manner or using the same data to accomplish the same tasks as in the
example of three different IDS applications viewing the same attack using
signatures to view and detect the attack in the first link.

http://tinyurl.com/bgtuq

http://tinyurl.com/d62cf

You should do your homework and seek out the information yourself to help
in your understanding of things. Google and Dogpile.com are good tools to
accomplish it. The information is out there if you look for it.

Duane