Snort mailing list archives
RE: Temporary "solution" to MyDoom worm
From: snort-ml <snort-ml () faceit com>
Date: Fri, 30 Jan 2004 11:56:30 -0500
Could you explain what you mean by "mail scanner"? Like an AV software? --ALEX -----Original Message----- From: Fabio Bastiglia Oliva [mailto:fboliva () safenetworks com] Sent: Wednesday, January 28, 2004 8:42 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Temporary "solution" to MyDoom worm Importance: High Hi guys, hehe... After all this years posting to some lists, also talking to foreign friends, I could not make my english better... so... before anything else, sorry about my bad english. :) I've mada a piggy solution to make MyDoom worm (Novarg.A, Shimg.A, Mimail.R) stop hitting mail servers. It's not the best solution, I know, but these rules can help if you have some kind of mail scanner to your mail server, this rules will make the mail server's cpu usage decrease. I'm using the MyDoom possible Subjects to detect it... Of course, it's not 100% accurate, but it's helping a lot my mail servers. It's necessary to use Flexible Response to make it work. Below is the FlexResp config I'm using to this rule. var RESP_TCP_URG resp:rst_all These are the rules: alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Error"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Status"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Server Report"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail Transaction Failed"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail Delivery System"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hello"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hi"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Test"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) Best Regards ________________________ Fabio Bastiglia Oliva fboliva () safenetworks com ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Matt Kettler (Jan 31)
- Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)
- <Possible follow-ups>
- RE: Temporary "solution" to MyDoom worm snort-ml (Jan 30)
- Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)