Snort mailing list archives

Temporary "solution" to MyDoom worm

From: Fabio Bastiglia Oliva <fboliva () safenetworks com>
Date: Wed, 28 Jan 2004 11:41:52 -0200

Hi guys,


hehe...  After  all  this years posting to some lists, also talking to
foreign  friends,  I  could not make my english better... so... before
anything else, sorry about my bad english. :)

I've  mada  a  piggy  solution to make MyDoom worm (Novarg.A, Shimg.A,
Mimail.R)  stop  hitting  mail  servers. It's not the best solution, I
know,  but  these rules can help if you have some kind of mail scanner
to  your mail server, this rules will make the mail server's cpu usage
decrease.

I'm using the MyDoom possible Subjects to detect it... Of course, it's
not 100% accurate, but it's helping a lot my mail servers.

It's necessary to use Flexible Response to make it work.

Below is the FlexResp config I'm using to this rule.
var RESP_TCP_URG resp:rst_all

These  are  the  rules:

alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Error"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Status"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Server 
Report"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail 
Transaction Failed"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Mail 
Delivery System"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: 
Hello"; nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Hi"; 
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming"; flow:to_server,established; content:"Subject\: Test"; 
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)

Best Regards
________________________
Fabio Bastiglia Oliva
fboliva () safenetworks com



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 28)
- Re: Temporary "solution" to MyDoom worm Matt Kettler (Jan 31)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)
- <Possible follow-ups>
- RE: Temporary "solution" to MyDoom worm snort-ml (Jan 30)
  - Re[2]: Temporary "solution" to MyDoom worm Fabio Bastiglia Oliva (Jan 30)