[Snort-sigs] High traffic to microsoft.com port 80

Andrew Benson bensona at ...2244...
Wed Feb 18 10:39:09 EST 2004


We are seeing hosts with symptoms of mydoom.b ( 5 connection attempts per
second to one or all of the ips associated with www.microsoft.com
<http://www.microsoft.com/>  on port 80) but when we go investigate, we
can't find any instance of mydoom anywhere.  Is there a program of some sort
that would cause a host to send a lot of traffic on port 80 to Microsoft?  I
thought it could be automatic updates but the IPs associated with
windowsupdate are different.  I don't think someone's homepage set to
www.microsoft.com <http://www.microsoft.com/>  would cause 2500 connections
in a few hours.  I know there are more specific rules for mydoom and
doomjuice but they aren't triggering.  So out of curiosity I just wrote a
simple rule to detect any traffic from our site to port 80 on any
Microsoft.com IP.  I expected some traffic but not this much.

 

Any ideas?

 

Andrew Benson
Assistant ResNet Coordinator
Nixon Hall - ResNet
Office: 716-673-3668
Cell:    716-679-8043
E-Mail: bensona at ...2244...

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040218/e7fb381a/attachment.html>


More information about the Snort-sigs mailing list