Network detection of malware in flight is proactive. By the time malware has infected an asset, whether PC or server, it requires some degree of remediation. Using Savvius filters allows identification of malware including source and destination, making it possible to quickly and accurate understand the extent and severity of a security issue.

And with the rapid increase of malware on the internet and the damage it can do to enterprise network and the business, IT administrators are looking for more proactive strategies for detecting malware.  However, one of the challenges is that the malware tends to evolve very quickly. The good news is that as quickly as the malware appears, it is usually found and analyzed, and followed up with a blog post about how to identify it. In many cases, the identification implementation is in the form of a regular expression, and that is where the Savvius Omnipliance filters come in.

Savvius filters support regular expression pattern matching. These regex filter nodes, combined with the other types of DPI that Savvius filters can do, make it easy to create, copy, customize, and manage malware detection filters that can be used on existing trace files and enabled in real-time captures for malware detection and capture of the packets. One of the advantages of using the filters in a real-time capture, is that not only can you detect the malware, but you can save the packets as well.

Below is an example of a regular expression that identifies a potential Angler EK attack:

^http://(?!www)(?:[^x2f]+.[^x2f]+.[^x2f]+)/[^x3f]+/index.php?PHPSESSID=[A-Z0-9a-z.]+&action=[0-9A-Za-z.]+&?$

And here is what it looks like when packaged into a Savvius filter, and enabled in a capture:

image001

In this example, we begin with a Protocol filter node, so that we only check further if the packet is identified as HTTP.  This is important, because we want to minimize false positives, and it improves the performance of the filter considerably.  Performance is important, because we may be running many of these filters on every packet.  We then add a pattern filter, and set the pattern type to Regular Expression, enter the regular expression pattern into the text field, uncheck Match case, and optionally provide the Start and End offsets, as shown in the screenshot of the opened filter below.

image004

As you can see, creating and editing filters with the visual filter editor is easy.  Filters can also be exported from one Omnipliance and shared with others.

At mypeek.savvius.com, we have a set of filters for detecting many different kinds of network activities, including some for security.  These can be used a starting point for making more security related filters, like malware detection filters.

https://mypeek.wildpackets.com/view_solution.php?id=69

A good place to find the latest info on malware, and regular expressions and patterns for making filters from is http://www.malwaresigs.com.

Let’s make the internet a safer place. If you have created any Savvius malware detection filters, please share them with everyone on LinkedIn and Twitter.