[Snort-users] Re: MyDoom Outbound Impossible Detects

McCash, John John.McCash at ...10979...
Wed Feb 11 08:27:03 EST 2004


Everyone,
	I've got some more information on this, and it gets even stranger...

I've been running tcpdump in parallel with snort to get a better idea of exactly what this is looking like. Oddly, when I look at the tcpdump output with ethereal, all the outbound detects I'm getting don't show up. I do get traffic to/from the specified hosts during the specified intervals, but it's got holes in it. 'TCP Previous segment lost' Ethereal calls it. I guessed that snort and tcpdump were conflicting somehow, or that tcpdump was silently dropping packets, but even after recompiling tcpdump with the MMAP patched libpcap, and as a brief test, killing off snort, I still get the same thing. Note also, that my CPU utilization is only running 5-15%. To add insult to injury, I'm also noticing that my read packet errors are running between 8 and 15% on that interface. This seems to be a consequence of the port spanning on the switch that I'm using to aggregate my traffic.

I also notice that sometimes the snort analysis of the packet detects seems to have silently concatenated nonadjacent segments. The thing that most disturbs me about this is that I can't confirm any of the snort detects by analyzing a full tcpdump file of traffic directly. There's not any way snort could somehow be creating bogus alerts by reconstructing traffic incorrectly from incomplete data, is there? The specific alerts I'm having triggered are the 'VIRUS OUTBOUND .pif file attachment' rule, and similar ones for .scr, .exe, and .bat.

Looking at the most complete snort packet decodes of these, I see what looks like an outbound SMTP session from my mail filter to an external mail filter, with a recipient of user at ...10979..., where user is one of the bogus names that MyDoom adds to its domain when it attempts to spread. Of course, as I said before, my mail filter is configured to send messages addressed this way INBOUND to my mail servers rather than this way...

If this keeps up I'm gonna need a rubber room.
		John

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]




More information about the Snort-users mailing list