RE: MyDoom/Novarg

["Martin Jr., D. Michael" <martinm () montevallo edu>]

I have been using the following rule to detect possible machines that
were infected by the MyDoom/Novarg worm:

alert tcp any any -> any 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 3";
\content: "The message contains Unicode characters and has been sent as
a binary"; \content: "Content-Type\: application/octet-stream";
\content: "Content-Transfer-Encoding\: base64"; \ nocase; rev: 4;
sid:1000571; classtype: Possible-VIRUS;)

The bizarre thing is that I am appearing to get some false-positives
from machines that are Macintosh computers.

#0-(1-13) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 16:55:48   10.0.7.253:52909        205.152.59.16:25
TCP     
#1-(1-14) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 16:55:48   10.0.7.253:52909        205.152.59.16:25
TCP     
....
#9-(1-28) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 18:06:34   10.0.7.146:49709        10.0.2.40:25        TCP

#10-(1-29)[snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 18:06:34   10.0.7.146:49709        10.0.2.40:25        TCP

....

I realize that all this rule does is look for "The message contains
Unicode characters and has been sent as a binary" on port 25.  But, why
would a Macintosh computers be sending this?

Has anyone else had instances of false-positives with this rule?

Thanks,

D. Michael Martin
University of Montevallo


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users