RE: Temporary "solution" to MyDoom worm

[snort-ml <snort-ml () faceit com>]

Could you explain what you mean by "mail scanner"? Like an AV software?

--ALEX

-----Original Message-----
From: Fabio Bastiglia Oliva [mailto:fboliva () safenetworks com]
Sent: Wednesday, January 28, 2004 8:42 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Temporary "solution" to MyDoom worm
Importance: High


Hi guys,


hehe...  After  all  this years posting to some lists, also talking to
foreign  friends,  I  could not make my english better... so... before
anything else, sorry about my bad english. :)

I've  mada  a  piggy  solution to make MyDoom worm (Novarg.A, Shimg.A,
Mimail.R)  stop  hitting  mail  servers. It's not the best solution, I
know,  but  these rules can help if you have some kind of mail scanner
to  your mail server, this rules will make the mail server's cpu usage
decrease.

I'm using the MyDoom possible Subjects to detect it... Of course, it's
not 100% accurate, but it's helping a lot my mail servers.

It's necessary to use Flexible Response to make it work.

Below is the FlexResp config I'm using to this rule.
var RESP_TCP_URG resp:rst_all

These  are  the  rules:

alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Error"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Status"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Server Report"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Mail Transaction Failed";
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Mail Delivery System";
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Hello"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Hi"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Test"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)

Best Regards
________________________
Fabio Bastiglia Oliva
fboliva () safenetworks com



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users