Snort mailing list archives
Re: Temporary "solution" to MyDoom worm
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 30 Jan 2004 11:07:07 -0500
At 08:41 AM 1/28/2004, Fabio Bastiglia Oliva wrote:
I'm using the MyDoom possible Subjects to detect it... Of course, it's not 100% accurate, but it's helping a lot my mail servers. It's necessary to use Flexible Response to make it work.
While using flexresp for this isn't outright invalid, I'd suggest that there are more accurate and ways to deal with mydoom that you really should already have set up on your network.
ie: clamav (a free open-source *nix virus scanner)... pair that with a MTA layer virus scanning tool and configure it to toss all the mydoom (aka SCO) worms quietly into the trash.
If server load is a problem, then you could use the flexresp solution to help, but I'd still make sure I had a MTA layer scanner to deal with the stuff that gets past flexresp.
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Matt Kettler (Jan 31)
- Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)
- <Possible follow-ups>
- RE: Temporary "solution" to MyDoom worm snort-ml (Jan 30)
- Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)