Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Temporary "solution" to MyDoom worm

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 30 Jan 2004 11:07:07 -0500
At 08:41 AM 1/28/2004, Fabio Bastiglia Oliva wrote:

I'm using the MyDoom possible Subjects to detect it... Of course, it's
not 100% accurate, but it's helping a lot my mail servers.

It's necessary to use Flexible Response to make it work.
While using flexresp for this isn't outright invalid, I'd suggest that there are more accurate and ways to deal with mydoom that you really should already have set up on your network.
ie: clamav (a free open-source *nix virus scanner)... pair that with a MTA layer virus scanning tool and configure it to toss all the mydoom (aka SCO) worms quietly into the trash.
If server load is a problem, then you could use the flexresp solution to help, but I'd still make sure I had a MTA layer scanner to deal with the stuff that gets past flexresp. 






-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: