[Snort-sigs] High traffic to microsoft.com port 80
bensona at ...2244...
Wed Feb 18 10:39:09 EST 2004
We are seeing hosts with symptoms of mydoom.b ( 5 connection attempts per
second to one or all of the ips associated with www.microsoft.com
<http://www.microsoft.com/> on port 80) but when we go investigate, we
can't find any instance of mydoom anywhere. Is there a program of some sort
that would cause a host to send a lot of traffic on port 80 to Microsoft? I
thought it could be automatic updates but the IPs associated with
windowsupdate are different. I don't think someone's homepage set to
www.microsoft.com <http://www.microsoft.com/> would cause 2500 connections
in a few hours. I know there are more specific rules for mydoom and
doomjuice but they aren't triggering. So out of curiosity I just wrote a
simple rule to detect any traffic from our site to port 80 on any
Microsoft.com IP. I expected some traffic but not this much.
Assistant ResNet Coordinator
Nixon Hall - ResNet
E-Mail: bensona at ...2244...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs