MyDoom DOS detection

[<hugh_fraser () dofasco ca>]

I'd like to know how to get Snort to detect the DOS that MyDoom will
trigger. The characteristic would be a large number of GETs to one of
www.sco.com or www.microsoft.com in a short period of time. I've looked
at portscan2 to see if it could be done using that preprocessor, but
it's more appropriate for scans of multiple ports rather than a single
port.

I also thought of doing thresholding on a rule that watches connections
to outbound connections to port 80 on those hosts, but that's an
aggregate of all outbound connections, and www.microsoft.com is a pretty
popular site. 

Suggestions?

Hugh Fraser
Dofasco Inc.
905-548-7200 ext. 6941
 <<Fraser Hugh.vcf>>

Attachment: Fraser Hugh.vcf
Description: Fraser Hugh.vcf