Snort mailing list archives

Re[2]: Temporary "solution" to MyDoom worm

From: Fabio Bastiglia Oliva <fboliva () safenetworks com>
Date: Fri, 30 Jan 2004 16:51:14 -0200

Hello Alex,

Sorry  If  I wasn't clear enogh... Yep, when I said Mail scanner I was
referring to AV Scanners.

This  "solution"  can  help  to decrease the cpu usage by aborting the
communication when some subjects are detected.

My  company  mail  servers  had a cpu usage decrease of 50% after I've
inserted these rules to Snort.

As  I  said  before, It's not the best solution... but... It's working
for me.

Best Regards
________________________
Fabio Bastiglia Oliva
fboliva () safenetworks com



Friday, January 30, 2004, 2:56:30 PM, you wrote:

sm> Could you explain what you mean by "mail scanner"? Like an AV software?

sm> --ALEX

sm> -----Original Message-----
sm> From: Fabio Bastiglia Oliva [mailto:fboliva () safenetworks com]
sm> Sent: Wednesday, January 28, 2004 8:42 AM
sm> To: snort-users () lists sourceforge net
sm> Subject: [Snort-users] Temporary "solution" to MyDoom worm
sm> Importance: High


sm> Hi guys,


sm> hehe...  After  all  this years posting to some lists, also talking to
sm> foreign  friends,  I  could not make my english better... so... before
sm> anything else, sorry about my bad english. :)

sm> I've  mada  a  piggy  solution to make MyDoom worm (Novarg.A, Shimg.A,
sm> Mimail.R)  stop  hitting  mail  servers. It's not the best solution, I
sm> know,  but  these rules can help if you have some kind of mail scanner
sm> to  your mail server, this rules will make the mail server's cpu usage
sm> decrease.

sm> I'm using the MyDoom possible Subjects to detect it... Of course, it's
sm> not 100% accurate, but it's helping a lot my mail servers.

sm> It's necessary to use Flexible Response to make it work.

sm> Below is the FlexResp config I'm using to this rule.
sm> var RESP_TCP_URG resp:rst_all

sm> These  are  the  rules:

alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Error"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Status"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Server Report"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Mail Transaction Failed";
sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Mail Delivery System";
sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Hello"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Hi"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Test"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)

sm> Best Regards
sm> ________________________
sm> Fabio Bastiglia Oliva
sm> fboliva () safenetworks com



sm> -------------------------------------------------------
sm> The SF.Net email is sponsored by EclipseCon 2004
sm> Premiere Conference on Open Tools Development and Integration
sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
sm> http://www.eclipsecon.org/osdn
sm> _______________________________________________
sm> Snort-users mailing list
sm> Snort-users () lists sourceforge net
sm> Go to this URL to change user options or unsubscribe:
sm> https://lists.sourceforge.net/lists/listinfo/snort-users
sm> Snort-users list archive:
sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users


sm> -------------------------------------------------------
sm> The SF.Net email is sponsored by EclipseCon 2004
sm> Premiere Conference on Open Tools Development and Integration
sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
sm> http://www.eclipsecon.org/osdn
sm> _______________________________________________
sm> Snort-users mailing list
sm> Snort-users () lists sourceforge net
sm> Go to this URL to change user options or unsubscribe:
sm> https://lists.sourceforge.net/lists/listinfo/snort-users
sm> Snort-users list archive:
sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Matt Kettler (Jan 31)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)
- <Possible follow-ups>
- RE: Temporary "solution" to MyDoom worm snort-ml (Jan 30)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)