[Snort-sigs] RE: [Snort-users] MyDoom/Novarg

Martin Jr., D. Michael martinm at ...1927...
Mon Feb 2 06:43:00 EST 2004


I have been using the following rule to detect possible machines that
were infected by the MyDoom/Novarg worm:

alert tcp any any -> any 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 3";
\content: "The message contains Unicode characters and has been sent as
a binary"; \content: "Content-Type\: application/octet-stream";
\content: "Content-Transfer-Encoding\: base64"; \ nocase; rev: 4;
sid:1000571; classtype: Possible-VIRUS;)

The bizarre thing is that I am appearing to get some false-positives
from machines that are Macintosh computers.

#0-(1-13) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 16:55:48   10.0.7.253:52909        205.152.59.16:25
TCP     
#1-(1-14) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 16:55:48   10.0.7.253:52909        205.152.59.16:25
TCP     
....
#9-(1-28) [snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 18:06:34   10.0.7.146:49709        10.0.2.40:25        TCP

#10-(1-29)[snort] VIRUS - MyDoom/MIMAIL.R Outbound 3
2004-01-29 18:06:34   10.0.7.146:49709        10.0.2.40:25        TCP

....

I realize that all this rule does is look for "The message contains
Unicode characters and has been sent as a binary" on port 25.  But, why
would a Macintosh computers be sending this?

Has anyone else had instances of false-positives with this rule?

Thanks,

D. Michael Martin
University of Montevallo




More information about the Snort-sigs mailing list