Snort mailing list archives

Re: Temporary "solution" to MyDoom worm

From: Fabio Bastiglia Oliva <fboliva () safenetworks com>
Date: Wed, 28 Jan 2004 22:51:00 -0200

Hi (again),


My email client f****d up the rules I've sent.
Sorry...

These are the right ones:

 var RESP_TCP_URG resp:rst_all
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Error"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Status"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Server Report"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail 
Transaction Failed"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail 
Delivery System"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Hello"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hi"; 
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
 alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Test"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)

Once again... to make them work... it's necessary to compile the Snort
with --enable-flexresp


Best Regards
________________________
Fabio Bastiglia Oliva
fboliva () safenetworks com




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Matt Kettler (Jan 31)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)
- <Possible follow-ups>
- RE: Temporary "solution" to MyDoom worm snort-ml (Jan 30)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)