Snort mailing list archives
MyDoom DOS detection
From: <hugh_fraser () dofasco ca>
Date: Thu, 29 Jan 2004 18:19:48 -0500
I'd like to know how to get Snort to detect the DOS that MyDoom will trigger. The characteristic would be a large number of GETs to one of www.sco.com or www.microsoft.com in a short period of time. I've looked at portscan2 to see if it could be done using that preprocessor, but it's more appropriate for scans of multiple ports rather than a single port. I also thought of doing thresholding on a rule that watches connections to outbound connections to port 80 on those hosts, but that's an aggregate of all outbound connections, and www.microsoft.com is a pretty popular site. Suggestions? Hugh Fraser Dofasco Inc. 905-548-7200 ext. 6941 <<Fraser Hugh.vcf>>
Attachment:
Fraser Hugh.vcf
Description: Fraser Hugh.vcf
Current thread:
- MyDoom DOS detection hugh_fraser (Jan 30)