* Classifying W32/MyDoom.A
@ 2004-01-29 18:06 Eliot, GLI wireless tech support
2004-01-30 5:46 ` Ray Leach
0 siblings, 1 reply; 3+ messages in thread
From: Eliot, GLI wireless tech support @ 2004-01-29 18:06 UTC (permalink / raw)
To: netfilter
Has anyone come up with a ruleset for classifying a random TCP or
specific SMTP connection as being the W32/MyDoom.A virus?
For instance, it spreads two ways:
1) Through email
2) Through Kazaa
I want to be able to take a TCP stream (like a Kazaa download) and match
it against a rule that would flag the packets with a specific MARK value
if it is the MyDoom.A virus being transferred. I would also like a
ruleset that would match if it is being transferred through SMTP.
Anyone have any ideas how to do this without too many false positives?
(IE a document on the web that describes the characteristics of
MyDoom.A).
Eliot Gable
iSWAT Leader
Internet Service Without Any Telephones
Great Lakes Internet, Inc.
112 N Howard Ave
Croswell, MI 48422
(810) 679-3395
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Classifying W32/MyDoom.A
2004-01-30 5:46 ` Ray Leach
@ 2004-01-30 5:41 ` Daniel Chemko
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Chemko @ 2004-01-30 5:41 UTC (permalink / raw)
To: Ray Leach; +Cc: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1006 bytes --]
Netfilter is not an application layer Firewall.
Try something like sendmail/Mailscanner and pick up clamav. I was
blocking before I even knew about the virus!
Ray Leach wrote:
>On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote:
>
>
>>Has anyone come up with a ruleset for classifying a random TCP or
>>specific SMTP connection as being the W32/MyDoom.A virus?
>>
>>
>
><<snip>>
>
>
>
>>Anyone have any ideas how to do this without too many false positives?
>>(IE a document on the web that describes the characteristics of
>>MyDoom.A).
>>
>>
>
>Since it spreads via SMTP from clients and not servers, why not just
>block all smtp traffic outbound to the internet from your client
>machines, and only allow your mail server to send smtp mail?
>
>Of course you would need a decent anti-virus program on the mail server.
>
>The other way you could possibly do this is by using a string match to
>look inside any smtp packets for matches of the attachment names(?).
>
>
>
[-- Attachment #2: Type: text/plain, Size: 932 bytes --]
Netfilter is not an application layer Firewall.
Try something like sendmail/Mailscanner and pick up clamav. I was blocking before I even knew about the virus!
Ray Leach wrote:
On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote:
Has anyone come up with a ruleset for classifying a random TCP or specific SMTP connection as being the W32/MyDoom.A virus?
<<snip>>
Anyone have any ideas how to do this without too many false positives? (IE a document on the web that describes the characteristics of MyDoom.A).
Since it spreads via SMTP from clients and not servers, why not just block all smtp traffic outbound to the internet from your client machines, and only allow your mail server to send smtp mail? Of course you would need a decent anti-virus program on the mail server. The other way you could possibly do this is by using a string match to look inside any smtp packets for matches of the attachment names(?).
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Classifying W32/MyDoom.A
2004-01-29 18:06 Classifying W32/MyDoom.A Eliot, GLI wireless tech support
@ 2004-01-30 5:46 ` Ray Leach
2004-01-30 5:41 ` Daniel Chemko
0 siblings, 1 reply; 3+ messages in thread
From: Ray Leach @ 2004-01-30 5:46 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]
On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote:
> Has anyone come up with a ruleset for classifying a random TCP or
> specific SMTP connection as being the W32/MyDoom.A virus?
<<snip>>
> Anyone have any ideas how to do this without too many false positives?
> (IE a document on the web that describes the characteristics of
> MyDoom.A).
Since it spreads via SMTP from clients and not servers, why not just
block all smtp traffic outbound to the internet from your client
machines, and only allow your mail server to send smtp mail?
Of course you would need a decent anti-virus program on the mail server.
The other way you could possibly do this is by using a string match to
look inside any smtp packets for matches of the attachment names(?).
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-01-30 5:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-29 18:06 Classifying W32/MyDoom.A Eliot, GLI wireless tech support
2004-01-30 5:46 ` Ray Leach
2004-01-30 5:41 ` Daniel Chemko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.