Snort mailing list archives
Re: MyDoom Outbound Impossible Detects
From: "McCash, John" <John.McCash () andrew com>
Date: Wed, 11 Feb 2004 10:26:03 -0600
Everyone, I've got some more information on this, and it gets even stranger... I've been running tcpdump in parallel with snort to get a better idea of exactly what this is looking like. Oddly, when I look at the tcpdump output with ethereal, all the outbound detects I'm getting don't show up. I do get traffic to/from the specified hosts during the specified intervals, but it's got holes in it. 'TCP Previous segment lost' Ethereal calls it. I guessed that snort and tcpdump were conflicting somehow, or that tcpdump was silently dropping packets, but even after recompiling tcpdump with the MMAP patched libpcap, and as a brief test, killing off snort, I still get the same thing. Note also, that my CPU utilization is only running 5-15%. To add insult to injury, I'm also noticing that my read packet errors are running between 8 and 15% on that interface. This seems to be a consequence of the port spanning on the switch that I'm using to aggregate my traffic. I also notice that sometimes the snort analysis of the packet detects seems to have silently concatenated nonadjacent segments. The thing that most disturbs me about this is that I can't confirm any of the snort detects by analyzing a full tcpdump file of traffic directly. There's not any way snort could somehow be creating bogus alerts by reconstructing traffic incorrectly from incomplete data, is there? The specific alerts I'm having triggered are the 'VIRUS OUTBOUND .pif file attachment' rule, and similar ones for .scr, .exe, and .bat. Looking at the most complete snort packet decodes of these, I see what looks like an outbound SMTP session from my mail filter to an external mail filter, with a recipient of user () andrew com, where user is one of the bogus names that MyDoom adds to its domain when it attempts to spread. Of course, as I said before, my mail filter is configured to send messages addressed this way INBOUND to my mail servers rather than this way... If this keeps up I'm gonna need a rubber room. John ------------------------------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------------------------------ [mf2] ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- Message not available
- Re: MyDoom Outbound Impossible Detects Chris Keladis (Feb 06)
- Message not available
- <Possible follow-ups>
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- RE: MyDoom Outbound Impossible Detects John York (Feb 06)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)