Re: MyDoom Outbound Impossible Detects

["McCash, John" <John.McCash () andrew com>]

Everyone,
        I've got some more information on this, and it gets even stranger...

I've been running tcpdump in parallel with snort to get a better idea of exactly what this is looking like. Oddly, when 
I look at the tcpdump output with ethereal, all the outbound detects I'm getting don't show up. I do get traffic 
to/from the specified hosts during the specified intervals, but it's got holes in it. 'TCP Previous segment lost' 
Ethereal calls it. I guessed that snort and tcpdump were conflicting somehow, or that tcpdump was silently dropping 
packets, but even after recompiling tcpdump with the MMAP patched libpcap, and as a brief test, killing off snort, I 
still get the same thing. Note also, that my CPU utilization is only running 5-15%. To add insult to injury, I'm also 
noticing that my read packet errors are running between 8 and 15% on that interface. This seems to be a consequence of 
the port spanning on the switch that I'm using to aggregate my traffic.

I also notice that sometimes the snort analysis of the packet detects seems to have silently concatenated nonadjacent 
segments. The thing that most disturbs me about this is that I can't confirm any of the snort detects by analyzing a 
full tcpdump file of traffic directly. There's not any way snort could somehow be creating bogus alerts by 
reconstructing traffic incorrectly from incomplete data, is there? The specific alerts I'm having triggered are the 
'VIRUS OUTBOUND .pif file attachment' rule, and similar ones for .scr, .exe, and .bat.

Looking at the most complete snort packet decodes of these, I see what looks like an outbound SMTP session from my mail 
filter to an external mail filter, with a recipient of user () andrew com, where user is one of the bogus names that 
MyDoom adds to its domain when it attempts to spread. Of course, as I said before, my mail filter is configured to send 
messages addressed this way INBOUND to my mail servers rather than this way...

If this keeps up I'm gonna need a rubber room.
                John

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users