Anti-Malware Tools: Intrusion Detection Systems

Martin Overton, from IBM in the UK, is back with another interesting malware paper. He's got an outline of how to use Snort to detect malware in transit on the wire.

When most people think of tools to combat malware, very few will give a passing thought to Intrusion Detection Systems, why?

Common reasons include:

  • They don’t realise that IDS systems can be used against malware (viruses, Trojans, worms, etc.)
  • They are too difficult to setup, maintain and use.
  • That they are too prone to false alarms.
This paper will investigate the use of IDS systems, specifically to counter/block/detect malware. What’s more, this paper will focus on SNORT (which is a free IDS system available for both UNIX and Windows).

This paper will include instructions and guidance on the setup of such a system, numerous examples of suitable rules to detect and block malware and useful tools that can make the sifting of logs easier and more palatable as well as configuration and other tools and utilities that may be useful in managing and maintaining SNORT.

The use of an IDS system can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers.

An IDS is also useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.

This paper is based on the recent two-part article written for Virus Bulletin [October and November 2004] and parts of that article have been used with their permission.

Anti-Malware Tools: Intrusion Detection Systems