[Snort-users] regarding snort rules

naganandas naganandas at ...6743...
Sun Feb 1 21:10:02 EST 2004


hi 
 i have installed snort redhat 8 and it was succesfull.but the thing whenever i initialize snort with the command #snort -A full -c snort.conf
it says after initialization that 
0 snort ruled read
0 dynamic rules etc...
what does this mean.
also i need to get snmptrap to NMS station i.e opennms.
any help would be appreciated.
thanks
nanda



snort-users at lists.sourceforge.net wrote:
Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Temporary "solution" to MyDoom worm (snort-ml)
   2. Fw: Why logging the attacked one? (Gabriel Moricz)
   3. Re: cost/benefit analysis of running Snort (M. Morgan)
   4. GateKeeper for snort (Alon Noy)
   5. RE: Installing Snort on SuSe Linux machine (KS)
   6. Re[2]: [Snort-users] Temporary "solution" to MyDoom worm (Fabio Bastiglia Oliva)
   7. Re[2]: [Snort-users] Temporary "solution" to MyDoom worm (Fabio Bastiglia Oliva)

--__--__--

Message: 1
From: snort-ml <snort-ml at ...10169...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Temporary "solution" to MyDoom worm
Date: Fri, 30 Jan 2004 11:56:30 -0500

Could you explain what you mean by "mail scanner"? Like an AV software?

--ALEX

-----Original Message-----
From: Fabio Bastiglia Oliva [mailto:fboliva at ...674...]
Sent: Wednesday, January 28, 2004 8:42 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Temporary "solution" to MyDoom worm
Importance: High


Hi guys,


hehe...  After  all  this years posting to some lists, also talking to
foreign  friends,  I  could not make my english better... so... before
anything else, sorry about my bad english. :)

I've  mada  a  piggy  solution to make MyDoom worm (Novarg.A, Shimg.A,
Mimail.R)  stop  hitting  mail  servers. It's not the best solution, I
know,  but  these rules can help if you have some kind of mail scanner
to  your mail server, this rules will make the mail server's cpu usage
decrease.

I'm using the MyDoom possible Subjects to detect it... Of course, it's
not 100% accurate, but it's helping a lot my mail servers.

It's necessary to use Flexible Response to make it work.

Below is the FlexResp config I'm using to this rule.
var RESP_TCP_URG resp:rst_all

These  are  the  rules:

alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Error"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Status"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Server Report"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Mail Transaction Failed";
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Mail Delivery System";
nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Hello"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Hi"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any -> any 25 (msg:"Possible MyDoom Worm Incoming";
flow:to_server,established; content:"Subject\: Test"; nocase;
classtype:misc-activity; rev:1;$RESP_TCP_URG;)

Best Regards
________________________
Fabio Bastiglia Oliva
fboliva at ...674...



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 2
From: "Gabriel Moricz" <gabriel at ...11057...>
To: <snort-users at lists.sourceforge.net>
Date: Fri, 30 Jan 2004 15:04:27 -0200
Subject: [Snort-users] Fw: Why logging the attacked one?

This is a multi-part message in MIME format.

------=_NextPart_000_0054_01C3E742.5B0D9360
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable




Hello at all...

I am having a problem..


[**] MS-SQL Worm propagation attempt [**]
01/29-15:49:31.148746 64.63.254.192:0 -> 200.231.117.114:3128
TCP TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF
******S* Seq: 0x3DE75  Ack: 0x0  Win: 0x200  TcpLen: 20
=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=


As u can see in this alert my network is 200.231.117.114 and it logged =
creating a folder with this Ip and not with attacker ip..
How can I say to snort log and create the folder with the atacker ip =
name??


Thanks and I hope that some good heart help me this time... ;-)

Gabriel Moricz

------=_NextPart_000_0054_01C3E742.5B0D9360
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2></FONT><BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Hello at all...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I am having a problem..</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>[**] MS-SQL Worm propagation attempt=20
[**]<BR>01/29-15:49:31.148746 64.63.254.192:0 -> =
200.231.117.114:3128<BR>TCP=20
TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF<BR>******S* Seq: =
0x3DE75  Ack:=20
0x0  Win: 0x200  TcpLen:=20
20<BR>=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+=3D+<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>As u can see in this alert my =
network is=20
200.231.117.114 and it logged creating a folder with this Ip and not =
with=20
attacker ip..</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>How can I say to snort log and create =
the folder=20
with the atacker ip name??</DIV></FONT>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks and I hope that some good heart =
help me this=20
time... ;-)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Gabriel =
Moricz</DIV></FONT></BODY></HTML>

------=_NextPart_000_0054_01C3E742.5B0D9360--



--__--__--

Message: 3
Date: Thu, 29 Jan 2004 10:25:07 -0500 (GMT-05:00)
From: "M. Morgan" <mikemorgan at ...468...>
Reply-To: "M. Morgan" <mikemorgan at ...468...>
To: Tom Fulton <tfulton9909 at ...5068...>, snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] cost/benefit analysis of running Snort

<HEAD><TITLE>cost/benefit analysis of running Snort</TITLE>
<META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR></HEAD>
<BODY>
<DIV>Tom,</DIV>
<DIV> I realize your question is directed specifically towards Snort b=
ut there are many documents available that can help you with your efforts.<=
/DIV>
<DIV> </DIV>
<DIV>Read some of these regarding "return on investment"</DIV>
<DIV><A href=3D"http://www.securityfocus.com/swsearch?query=3DROI&sbm=
=3D%2F&metaname=3Dalldoc&sort=3Dswishrank">http://www.securityfocus=
.com/swsearch?query=3DROI&sbm=3D%2F&metaname=3Dalldoc&sort=3Dsw=
ishrank</A></DIV>
<DIV> </DIV>
<DIV>thanks,</DIV>
<DIV>Michael<BR><BR><BR>-----Original Message----- <BR>From: Tom Fulton <TF=
ULTON9909 at ...11086...><BR>Sent: Jan 23, 2004 6:38 PM <BR>To: snort-users at ...6193...=
sts.sourceforge.net <BR>Subject: [Snort-users] cost/benefit analysis of run=
ning Snort <BR><BR><XHTML><XHEAD><XMETA CONTENT=3D"text/html; charset=3Dus-=
ascii" HTTP-EQUIV=3D"Content-Type"><XMETA CONTENT=3D"MS Exchange Server ver=
sion 6.0.4630.0" NAME=3D"Generator"><XBODY><X!-- -- format rtf text from Co=
nverted><BR></DIV>
<P><FONT face=3DArial size=3D2>I'm trying to come up with a cost/benefit an=
alysis of running Snort in a network, in general terms?</FONT> </P>
<P><FONT face=3DArial size=3D2>Can you add anything that you see is missing=
 or wrong?</FONT> </P>
<DIV><BR></DIV>
<P><FONT face=3DArial size=3D2>A.      COSTS:</FON=
T> <BR>        <FONT face=3DArial size=
=3D2>I would guess costs are mostly in Human time (FTE) functions:</FONT> <=
/P>
<P>        <FONT face=3DArial size=3D2>-=
Installation, configuration</FONT> <BR>      =
  <FONT face=3DArial size=3D2>-Locking down/securing the boxes' proces=
ses (i.e.: Bastille scripts, etc)</FONT> <BR>     =
   <FONT face=3DArial size=3D2>-Patching </FONT><BR>  &=
nbsp;     <FONT face=3DArial size=3D2>-Monitoring snort=
 logs to determine legitimate alerts</FONT> <BR>    &nb=
sp;   <FONT face=3DArial size=3D2>-Adding, changing fine tuning f=
ilter rules</FONT> <BR>        <FONT fac=
e=3DArial size=3D2>-Ideally a 24/7 operation requiring HOW MANY FTEs per sh=
ift?  What does the number of FTEs depend upon?</FONT> <BR> &nbsp=
;      <FONT face=3DArial size=3D2>-What is the "c=
ost" of having only one shift covered?</FONT> </P>
<DIV><BR></DIV>
<P>        <FONT face=3DArial size=3D2>B=
ut also hardware and software costs:</FONT> </P>
<P>        <FONT face=3DArial size=3D2>-=
Dedicated PCs (how many?)  </FONT><BR>     &n=
bsp;  <FONT face=3DArial size=3D2>-Operating system and Support agreem=
ents for the OS</FONT> <BR>        <FONT=
 face=3DArial size=3D2>-Network bandwidth (how do you address questions of =
how much network speed is affected by Snort boxes?)</FONT> </P>
<DIV><BR></DIV>
<P><FONT face=3DArial size=3D2># How do you scale? </FONT><BR><FONT face=3D=
Arial size=3D2># The book: "Snort 2.0 Intrusion Detection" discusses differ=
ent architectures but doesn=92t give any kind of Rule of Thumb for number o=
f boxes per architecture.  Yes, I know it depends upon the processor, =
RAM and BUS speed, etc=85but beyond that, how do you define?</FONT></P>
<P><FONT face=3DArial size=3D2># Would it be safe to say that once you see =
that you are dropping packets you need to add another box?  Is it just=
 trial and error ONLY?</FONT></P>
<DIV><BR></DIV>
<P><FONT face=3DArial size=3D2>B.      BENEFITS:</=
FONT> </P>
<P>        <FONT face=3DArial size=3D2>-=
They can alert you to the presence of attacks (internal and external) the m=
ajority of attacks occur, knowingly or unknowingly, from within the network=
)</FONT></P>
<P>        <FONT face=3DArial size=3D2>-=
Identifies vulnerabilities and weaknesses in the perimeter protection devic=
es: firewalls and routers</FONT> <BR>      &n=
bsp; <FONT face=3DArial size=3D2>-"What you don=92t know CAN hurt you"</FON=
T> <BR>        <FONT face=3DArial size=
=3D2>-Preventative knowledge: IDSs can alert you to reconnaissance scanning=
 in your network which can alert you to impending attacks</FONT></P>
<P>        <FONT face=3DArial size=3D2>-=
Helps enforce security policies</FONT> <BR>     &n=
bsp;  <FONT face=3DArial size=3D2>-Great sources of forensic evidence<=
/FONT> <BR>        <FONT face=3DArial si=
ze=3D2>-Inline IDSs can halt active attacks on your network</FONT> <BR>&nbs=
p;       <FONT face=3DArial size=3D2>-Rounds =
out an overall security model</FONT> </P>
<DIV><BR></DIV>
<P><FONT face=3DArial size=3D2>Can you add anything or correct me?</FONT> <=
/P>
<P><FONT face=3DArial size=3D2>Thanks,</FONT> </P></BODY>


--__--__--

Message: 4
From: "Alon Noy" <anoy at ...11050...>
To: <snort-users at lists.sourceforge.net>
Date: Fri, 30 Jan 2004 19:03:20 +0100
Subject: [Snort-users] GateKeeper for snort

This is a multi-part message in MIME format.

------=_NextPart_000_0094_01C3E763.CA349C90
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello all,
 
Since I put GateKeeper for download, 3 days ago, I had 265 visits, 62
downloads and . ONE reply (Thank you Milo). I would appreciate some
feedback.
Anyway, GateKeeper v1.01 is now available also as RPM.
 
For downloads go to:
http://www.arti-shock.com/gatekeeper/
 
 
Cheers,.
 

------=_NextPart_000_0094_01C3E763.CA349C90
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at ...11088...">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:ApplyBreakingRules/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:windowtext;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hello all,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Since I put GateKeeper for download, 3 days ago, I =
had 265 visits,
62 downloads and … ONE reply (Thank you =
</span></font><st1:place><font
 size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Milo</span></font></st1:plac=
e><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>). I would appreciate
some feedback.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Anyway, GateKeeper v1.01 is now available also as =
RPM.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>For downloads go to:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a =
href=3D"http://www.arti-shock.com/gatekeeper/">http://www.arti-shock.com/=
gatekeeper/</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Cheers,.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0094_01C3E763.CA349C90--



--__--__--

Message: 5
From: "KS" <kanwaljeet at ...10300...>
To: "John Ceballos-contr" <John.Ceballos-contr at ...9411...>,
	<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Installing Snort on SuSe Linux machine
Date: Sat, 31 Jan 2004 00:19:52 +0530

Hey John,

I have done successful installation of snort with acid on suse linux.
However it took me hell lot of time to make mysql work on it. Rest
everything went smooth. I couldn't find any official doc on it so i followed
the "snort on Red hat linux" guide with slight modifications in it.Since
there is a difference in directory structure of Red hat linux and suse, you
need to be careful with regards to copying and installation of packages so
that changes are made in appropriate directory and files.

Cheers!
Kanwal

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of John
Ceballos-contr
Sent: Thursday, January 29, 2004 10:43 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Installing Snort on SuSe Linux machine


Hello all!

I was wondering if anybody has done a successful installation of Snort with
ACID on a SuSe Linux machine. Or, is there an un/official doc that tells you
how to do this. Thanks and talk to you all later!



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



--__--__--

Message: 6
Date: Fri, 30 Jan 2004 16:51:14 -0200
From: Fabio Bastiglia Oliva <fboliva at ...674...>
Reply-To: Fabio Bastiglia Oliva <fboliva at ...674...>
Organization: Safe Networks
To: 'snort-users at lists.sourceforge.net' <snort-users at lists.sourceforge.net>
CC: snort-ml <snort-ml at ...10169...>
Subject: Re[2]: [Snort-users] Temporary "solution" to MyDoom worm

Hello Alex,

Sorry  If  I wasn't clear enogh... Yep, when I said Mail scanner I was
referring to AV Scanners.

This  "solution"  can  help  to decrease the cpu usage by aborting the
communication when some subjects are detected.

My  company  mail  servers  had a cpu usage decrease of 50% after I've
inserted these rules to Snort.

As  I  said  before, It's not the best solution... but... It's working
for me.

Best Regards
________________________
Fabio Bastiglia Oliva
fboliva at ...674...



Friday, January 30, 2004, 2:56:30 PM, you wrote:

sm> Could you explain what you mean by "mail scanner"? Like an AV software?

sm> --ALEX

sm> -----Original Message-----
sm> From: Fabio Bastiglia Oliva [mailto:fboliva at ...674...]
sm> Sent: Wednesday, January 28, 2004 8:42 AM
sm> To: snort-users at lists.sourceforge.net
sm> Subject: [Snort-users] Temporary "solution" to MyDoom worm
sm> Importance: High


sm> Hi guys,


sm> hehe...  After  all  this years posting to some lists, also talking to
sm> foreign  friends,  I  could not make my english better... so... before
sm> anything else, sorry about my bad english. :)

sm> I've  mada  a  piggy  solution to make MyDoom worm (Novarg.A, Shimg.A,
sm> Mimail.R)  stop  hitting  mail  servers. It's not the best solution, I
sm> know,  but  these rules can help if you have some kind of mail scanner
sm> to  your mail server, this rules will make the mail server's cpu usage
sm> decrease.

sm> I'm using the MyDoom possible Subjects to detect it... Of course, it's
sm> not 100% accurate, but it's helping a lot my mail servers.

sm> It's necessary to use Flexible Response to make it work.

sm> Below is the FlexResp config I'm using to this rule.
sm> var RESP_TCP_URG resp:rst_all

sm> These  are  the  rules:

alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Error"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Status"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Server Report"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Mail Transaction Failed";
sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Mail Delivery System";
sm> nocase; classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Hello"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Hi"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)
alert tcp any any ->> any 25 (msg:"Possible MyDoom Worm Incoming";
sm> flow:to_server,established; content:"Subject\: Test"; nocase;
sm> classtype:misc-activity; rev:1;$RESP_TCP_URG;)

sm> Best Regards
sm> ________________________
sm> Fabio Bastiglia Oliva
sm> fboliva at ...674...



sm> -------------------------------------------------------
sm> The SF.Net email is sponsored by EclipseCon 2004
sm> Premiere Conference on Open Tools Development and Integration
sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
sm> http://www.eclipsecon.org/osdn
sm> _______________________________________________
sm> Snort-users mailing list
sm> Snort-users at lists.sourceforge.net
sm> Go to this URL to change user options or unsubscribe:
sm> https://lists.sourceforge.net/lists/listinfo/snort-users
sm> Snort-users list archive:
sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users


sm> -------------------------------------------------------
sm> The SF.Net email is sponsored by EclipseCon 2004
sm> Premiere Conference on Open Tools Development and Integration
sm> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
sm> http://www.eclipsecon.org/osdn
sm> _______________________________________________
sm> Snort-users mailing list
sm> Snort-users at lists.sourceforge.net
sm> Go to this URL to change user options or unsubscribe:
sm> https://lists.sourceforge.net/lists/listinfo/snort-users
sm> Snort-users list archive:
sm> http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 7
Date: Fri, 30 Jan 2004 16:59:10 -0200
From: Fabio Bastiglia Oliva <fboliva at ...674...>
Reply-To: Fabio Bastiglia Oliva <fboliva at ...674...>
Organization: Safe Networks
To: 'snort-users at lists.sourceforge.net' <snort-users at lists.sourceforge.net>
CC: Matt Kettler <mkettler at ...4108...>
Subject: Re[2]: [Snort-users] Temporary "solution" to MyDoom worm

Hello Matt,


Yes...  I'm  using  a  AV mail scanner, but due the heavy mail traffic
increased by MyDoom, the cpu usage was extremely high.

hehe... I'm using qmailscanner + clamav :)

After  turn these rules on... The cpu usage of my company mail servers
had a decrease of 50%.


Best Regards
________________________
Fabio Bastiglia Oliva
fboliva at ...674...


Friday, January 30, 2004, 2:07:07 PM, you wrote:

MK> At 08:41 AM 1/28/2004, Fabio Bastiglia Oliva wrote:
>>I'm using the MyDoom possible Subjects to detect it... Of course, it's
>>not 100% accurate, but it's helping a lot my mail servers.
>>
>>It's necessary to use Flexible Response to make it work.

MK> While using flexresp for this isn't outright invalid, I'd suggest that
MK> there are more accurate and ways to deal with mydoom that you really sh=
ould
MK> already have set up on your network.

MK> ie: clamav (a free open-source *nix virus scanner)... pair that with a =
MTA
MK> layer virus scanning tool and configure it to toss all the mydoom (aka =
SCO)
MK> worms quietly into the trash.

MK> If server load is a problem, then you could use the flexresp solution to
MK> help, but I'd still make sure I had a MTA layer scanner to deal with the
MK> stuff that gets past flexresp.








--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest
Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com

 Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com

Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now!





More information about the Snort-users mailing list