Snort mailing list archives
regarding snort rules
From: "naganandas" <naganandas () indiatimes com>
Date: Mon, 02 Feb 2004 10:38:28 +0530
hi i have installed snort redhat 8 and it was succesfull.but the thing whenever i initialize snort with the command #snort -A full -c snort.conf it says after initialization that 0 snort ruled read 0 dynamic rules etc... what does this mean. also i need to get snmptrap to NMS station i.e opennms. any help would be appreciated. thanks nanda snort-users () lists sourceforge net wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Temporary "solution" to MyDoom worm (snort-ml) 2. Fw: Why logging the attacked one? (Gabriel Moricz) 3. Re: cost/benefit analysis of running Snort (M. Morgan) 4. GateKeeper for snort (Alon Noy) 5. RE: Installing Snort on SuSe Linux machine (KS) 6. Re[2]: [Snort-users] Temporary "solution" to MyDoom worm (Fabio Bastiglia Oliva) 7. Re[2]: [Snort-users] Temporary "solution" to MyDoom worm (Fabio Bastiglia Oliva) --__--__-- Message: 1 From: snort-ml <snort-ml () faceit com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Temporary "solution" to MyDoom worm Date: Fri, 30 Jan 2004 11:56:30 -0500 Could you explain what you mean by "mail scanner"? Like an AV software? --ALEX -----Original Message----- From: Fabio Bastiglia Oliva [mailto:fboliva () safenetworks com] Sent: Wednesday, January 28, 2004 8:42 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Temporary "solution" to MyDoom worm Importance: High Hi guys, hehe... After all this years posting to some lists, also talking to foreign friends, I could not make my english better... so... before anything else, sorry about my bad english. :) I've mada a piggy solution to make MyDoom worm (Novarg.A, Shimg.A, Mimail.R) stop hitting mail servers. It's not the best solution, I know, but these rules can help if you have some kind of mail scanner to your mail server, this rules will make the mail server's cpu usage decrease. I'm using the MyDoom possible Subjects to detect it... Of course, it's not 100% accurate, but it's helping a lot my mail servers. It's necessary to use Flexible Response to make it work. Below is the FlexResp config I'm using to this rule. var RESP_TCP_URG resp:rst_all These are the rules: alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Error"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Status"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Server Report"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail Transaction Failed"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail Delivery System"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hello"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hi"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Test"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) Best Regards ________________________ Fabio Bastiglia Oliva fboliva () safenetworks com ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 2 From: "Gabriel Moricz" <gabriel () autofax com br> To: <snort-users () lists sourceforge net> Date: Fri, 30 Jan 2004 15:04:27 -0200 Subject: [Snort-users] Fw: Why logging the attacked one? This is a multi-part message in MIME format. ------=_NextPart_000_0054_01C3E742.5B0D9360 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello at all... I am having a problem.. [**] MS-SQL Worm propagation attempt [**] 01/29-15:49:31.148746 64.63.254.192:0 -> 200.231.117.114:3128 TCP TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF ******S* Seq: 0x3DE75 Ack: 0x0 Win: 0x200 TcpLen: 20 =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= As u can see in this alert my network is 200.231.117.114 and it logged = creating a folder with this Ip and not with attacker ip.. How can I say to snort log and create the folder with the atacker ip = name?? Thanks and I hope that some good heart help me this time... ;-) Gabriel Moricz ------=_NextPart_000_0054_01C3E742.5B0D9360 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2></FONT><BR></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Hello at all...</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I am having a problem..</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>[**] MS-SQL Worm propagation attempt=20 [**]<BR>01/29-15:49:31.148746 64.63.254.192:0 -> = 200.231.117.114:3128<BR>TCP=20 TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF<BR>******S* Seq: = 0x3DE75 Ack:=20 0x0 Win: 0x200 TcpLen:=20 20<BR>=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= =3D+=3D+<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>As u can see in this alert my = network is=20 200.231.117.114 and it logged creating a folder with this Ip and not = with=20 attacker ip..</FONT></DIV> <DIV><FONT face=3DArial size=3D2>How can I say to snort log and create = the folder=20 with the atacker ip name??</DIV></FONT> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Thanks and I hope that some good heart = help me this=20 time... ;-)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Gabriel = Moricz</DIV></FONT></BODY></HTML> ------=_NextPart_000_0054_01C3E742.5B0D9360-- --__--__-- Message: 3 Date: Thu, 29 Jan 2004 10:25:07 -0500 (GMT-05:00) From: "M. Morgan" <mikemorgan () mindspring com> Reply-To: "M. Morgan" <mikemorgan () mindspring com> To: Tom Fulton <tfulton9909 () comcast net>, snort-users () lists sourceforge net Subject: Re: [Snort-users] cost/benefit analysis of running Snort <HEAD><TITLE>cost/benefit analysis of running Snort</TITLE> <META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR></HEAD> <BODY> <DIV>Tom,</DIV> <DIV> I realize your question is directed specifically towards Snort b= ut there are many documents available that can help you with your efforts.<= /DIV> <DIV> </DIV> <DIV>Read some of these regarding "return on investment"</DIV> <DIV><A href=3D"http://www.securityfocus.com/swsearch?query=3DROI&sbm= =3D%2F&metaname=3Dalldoc&sort=3Dswishrank">http://www.securityfocus= .com/swsearch?query=3DROI&sbm=3D%2F&metaname=3Dalldoc&sort=3Dsw= ishrank</A></DIV> <DIV> </DIV> <DIV>thanks,</DIV> <DIV>Michael<BR><BR><BR>-----Original Message----- <BR>From: Tom Fulton <TF= ULTON9909 () COMCAST NET><BR>Sent: Jan 23, 2004 6:38 PM <BR>To: snort-users@li= sts.sourceforge.net <BR>Subject: [Snort-users] cost/benefit analysis of run= ning Snort <BR><BR><XHTML><XHEAD><XMETA CONTENT=3D"text/html; charset=3Dus-= ascii" HTTP-EQUIV=3D"Content-Type"><XMETA CONTENT=3D"MS Exchange Server ver= sion 6.0.4630.0" NAME=3D"Generator"><XBODY><X!-- -- format rtf text from Co= nverted><BR></DIV> <P><FONT face=3DArial size=3D2>I'm trying to come up with a cost/benefit an= alysis of running Snort in a network, in general terms?</FONT> </P> <P><FONT face=3DArial size=3D2>Can you add anything that you see is missing= or wrong?</FONT> </P> <DIV><BR></DIV> <P><FONT face=3DArial size=3D2>A. COSTS:</FON= T> <BR> <FONT face=3DArial size= =3D2>I would guess costs are mostly in Human time (FTE) functions:</FONT> <= /P> <P> <FONT face=3DArial size=3D2>-= Installation, configuration</FONT> <BR> = <FONT face=3DArial size=3D2>-Locking down/securing the boxes' proces= ses (i.e.: Bastille scripts, etc)</FONT> <BR> = <FONT face=3DArial size=3D2>-Patching </FONT><BR> &= nbsp; <FONT face=3DArial size=3D2>-Monitoring snort= logs to determine legitimate alerts</FONT> <BR> &nb= sp; <FONT face=3DArial size=3D2>-Adding, changing fine tuning f= ilter rules</FONT> <BR> <FONT fac= e=3DArial size=3D2>-Ideally a 24/7 operation requiring HOW MANY FTEs per sh= ift? What does the number of FTEs depend upon?</FONT> <BR>  = ; <FONT face=3DArial size=3D2>-What is the "c= ost" of having only one shift covered?</FONT> </P> <DIV><BR></DIV> <P> <FONT face=3DArial size=3D2>B= ut also hardware and software costs:</FONT> </P> <P> <FONT face=3DArial size=3D2>-= Dedicated PCs (how many?) </FONT><BR> &n= bsp; <FONT face=3DArial size=3D2>-Operating system and Support agreem= ents for the OS</FONT> <BR> <FONT= face=3DArial size=3D2>-Network bandwidth (how do you address questions of = how much network speed is affected by Snort boxes?)</FONT> </P> <DIV><BR></DIV> <P><FONT face=3DArial size=3D2># How do you scale? </FONT><BR><FONT face=3D= Arial size=3D2># The book: "Snort 2.0 Intrusion Detection" discusses differ= ent architectures but doesn=92t give any kind of Rule of Thumb for number o= f boxes per architecture. Yes, I know it depends upon the processor, = RAM and BUS speed, etc=85but beyond that, how do you define?</FONT></P> <P><FONT face=3DArial size=3D2># Would it be safe to say that once you see = that you are dropping packets you need to add another box? Is it just= trial and error ONLY?</FONT></P> <DIV><BR></DIV> <P><FONT face=3DArial size=3D2>B. BENEFITS:</= FONT> </P> <P> <FONT face=3DArial size=3D2>-= They can alert you to the presence of attacks (internal and external) the m= ajority of attacks occur, knowingly or unknowingly, from within the network= )</FONT></P> <P> <FONT face=3DArial size=3D2>-= Identifies vulnerabilities and weaknesses in the perimeter protection devic= es: firewalls and routers</FONT> <BR> &n= bsp; <FONT face=3DArial size=3D2>-"What you don=92t know CAN hurt you"</FON= T> <BR> <FONT face=3DArial size= =3D2>-Preventative knowledge: IDSs can alert you to reconnaissance scanning= in your network which can alert you to impending attacks</FONT></P> <P> <FONT face=3DArial size=3D2>-= Helps enforce security policies</FONT> <BR> &n= bsp; <FONT face=3DArial size=3D2>-Great sources of forensic evidence<= /FONT> <BR> <FONT face=3DArial si= ze=3D2>-Inline IDSs can halt active attacks on your network</FONT> <BR>&nbs= p; <FONT face=3DArial size=3D2>-Rounds = out an overall security model</FONT> </P> <DIV><BR></DIV> <P><FONT face=3DArial size=3D2>Can you add anything or correct me?</FONT> <= /P> <P><FONT face=3DArial size=3D2>Thanks,</FONT> </P></BODY> --__--__-- Message: 4 From: "Alon Noy" <anoy () arti-shock com> To: <snort-users () lists sourceforge net> Date: Fri, 30 Jan 2004 19:03:20 +0100 Subject: [Snort-users] GateKeeper for snort This is a multi-part message in MIME format. ------=_NextPart_000_0094_01C3E763.CA349C90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello all, Since I put GateKeeper for download, 3 days ago, I had 265 visits, 62 downloads and . ONE reply (Thank you Milo). I would appreciate some feedback. Anyway, GateKeeper v1.01 is now available also as RPM. For downloads go to: http://www.arti-shock.com/gatekeeper/ Cheers,. ------=_NextPart_000_0094_01C3E763.CA349C90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C3E763.B9F90870"> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"place"/> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:ApplyBreakingRules/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--><!--[if !mso]> <style> st1\:*{behavior:url(#default#ieooui) } </style> <![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} @page Section1 {size:595.3pt 841.9pt; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Hello all,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Since I put GateKeeper for download, 3 days ago, I = had 265 visits, 62 downloads and … ONE reply (Thank you = </span></font><st1:place><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>Milo</span></font></st1:plac= e><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>). I would appreciate some feedback.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Anyway, GateKeeper v1.01 is now available also as = RPM.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>For downloads go to:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><a = href=3D"http://www.arti-shock.com/gatekeeper/">http://www.arti-shock.com/= gatekeeper/</a><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Cheers,.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_0094_01C3E763.CA349C90-- --__--__-- Message: 5 From: "KS" <kanwaljeet () emind com> To: "John Ceballos-contr" <John.Ceballos-contr () TRW COM>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Installing Snort on SuSe Linux machine Date: Sat, 31 Jan 2004 00:19:52 +0530 Hey John, I have done successful installation of snort with acid on suse linux. However it took me hell lot of time to make mysql work on it. Rest everything went smooth. I couldn't find any official doc on it so i followed the "snort on Red hat linux" guide with slight modifications in it.Since there is a difference in directory structure of Red hat linux and suse, you need to be careful with regards to copying and installation of packages so that changes are made in appropriate directory and files. Cheers! Kanwal -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Ceballos-contr Sent: Thursday, January 29, 2004 10:43 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Installing Snort on SuSe Linux machine Hello all! I was wondering if anybody has done a successful installation of Snort with ACID on a SuSe Linux machine. Or, is there an un/official doc that tells you how to do this. Thanks and talk to you all later! ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users --__--__-- Message: 6 Date: Fri, 30 Jan 2004 16:51:14 -0200 From: Fabio Bastiglia Oliva <fboliva () safenetworks com> Reply-To: Fabio Bastiglia Oliva <fboliva () safenetworks com> Organization: Safe Networks To: 'snort-users () lists sourceforge net' <snort-users () lists sourceforge net> CC: snort-ml <snort-ml () faceit com> Subject: Re[2]: [Snort-users] Temporary "solution" to MyDoom worm Hello Alex, Sorry If I wasn't clear enogh... Yep, when I said Mail scanner I was referring to AV Scanners. This "solution" can help to decrease the cpu usage by aborting the communication when some subjects are detected. My company mail servers had a cpu usage decrease of 50% after I've inserted these rules to Snort. As I said before, It's not the best solution... but... It's working for me. Best Regards ________________________ Fabio Bastiglia Oliva fboliva () safenetworks com Friday, January 30, 2004, 2:56:30 PM, you wrote: sm> Could you explain what you mean by "mail scanner"? Like an AV software? sm> --ALEX sm> -----Original Message----- sm> From: Fabio Bastiglia Oliva [mailto:fboliva () safenetworks com] sm> Sent: Wednesday, January 28, 2004 8:42 AM sm> To: snort-users () lists sourceforge net sm> Subject: [Snort-users] Temporary "solution" to MyDoom worm sm> Importance: High sm> Hi guys, sm> hehe... After all this years posting to some lists, also talking to sm> foreign friends, I could not make my english better... so... before sm> anything else, sorry about my bad english. :) sm> I've mada a piggy solution to make MyDoom worm (Novarg.A, Shimg.A, sm> Mimail.R) stop hitting mail servers. It's not the best solution, I sm> know, but these rules can help if you have some kind of mail scanner sm> to your mail server, this rules will make the mail server's cpu usage sm> decrease. sm> I'm using the MyDoom possible Subjects to detect it... Of course, it's sm> not 100% accurate, but it's helping a lot my mail servers. sm> It's necessary to use Flexible Response to make it work. sm> Below is the FlexResp config I'm using to this rule. sm> var RESP_TCP_URG resp:rst_all sm> These are the rules: alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Error"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Status"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Server Report"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Mail Transaction Failed"; sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Mail Delivery System"; sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Hello"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Hi"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming"; sm> flow:to_server,established; content:"Subject\: Test"; nocase; sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;) sm> Best Regards sm> ________________________ sm> Fabio Bastiglia Oliva sm> fboliva () safenetworks com sm> ------------------------------------------------------- sm> The SF.Net email is sponsored by EclipseCon 2004 sm> Premiere Conference on Open Tools Development and Integration sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. sm> http://www.eclipsecon.org/osdn sm> _______________________________________________ sm> Snort-users mailing list sm> Snort-users () lists sourceforge net sm> Go to this URL to change user options or unsubscribe: sm> https://lists.sourceforge.net/lists/listinfo/snort-users sm> Snort-users list archive: sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users sm> ------------------------------------------------------- sm> The SF.Net email is sponsored by EclipseCon 2004 sm> Premiere Conference on Open Tools Development and Integration sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. sm> http://www.eclipsecon.org/osdn sm> _______________________________________________ sm> Snort-users mailing list sm> Snort-users () lists sourceforge net sm> Go to this URL to change user options or unsubscribe: sm> https://lists.sourceforge.net/lists/listinfo/snort-users sm> Snort-users list archive: sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 7 Date: Fri, 30 Jan 2004 16:59:10 -0200 From: Fabio Bastiglia Oliva <fboliva () safenetworks com> Reply-To: Fabio Bastiglia Oliva <fboliva () safenetworks com> Organization: Safe Networks To: 'snort-users () lists sourceforge net' <snort-users () lists sourceforge net> CC: Matt Kettler <mkettler () evi-inc com> Subject: Re[2]: [Snort-users] Temporary "solution" to MyDoom worm Hello Matt, Yes... I'm using a AV mail scanner, but due the heavy mail traffic increased by MyDoom, the cpu usage was extremely high. hehe... I'm using qmailscanner + clamav :) After turn these rules on... The cpu usage of my company mail servers had a decrease of 50%. Best Regards ________________________ Fabio Bastiglia Oliva fboliva () safenetworks com Friday, January 30, 2004, 2:07:07 PM, you wrote: MK> At 08:41 AM 1/28/2004, Fabio Bastiglia Oliva wrote:
I'm using the MyDoom possible Subjects to detect it... Of course, it's not 100% accurate, but it's helping a lot my mail servers. It's necessary to use Flexible Response to make it work.
MK> While using flexresp for this isn't outright invalid, I'd suggest that MK> there are more accurate and ways to deal with mydoom that you really sh= ould MK> already have set up on your network. MK> ie: clamav (a free open-source *nix virus scanner)... pair that with a = MTA MK> layer virus scanning tool and configure it to toss all the mydoom (aka = SCO) MK> worms quietly into the trash. MK> If server load is a problem, then you could use the flexresp solution to MK> help, but I'd still make sure I had a MTA layer scanner to deal with the MK> stuff that gets past flexresp. --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now! ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- regarding snort rules naganandas (Feb 01)
- Re: regarding snort rules Ravi (Feb 01)
- W32.Novarg.A@mm worm Work!, but.... Snortty (Feb 02)
- Re: regarding snort rules Ravi (Feb 01)