Has anyone come up with a ruleset for classifying a random TCP or specific SMTP connection as being the W32/MyDoom.A virus? For instance, it spreads two ways: 1) Through email 2) Through Kazaa I want to be able to take a TCP stream (like a Kazaa download) and match it against a rule that would flag the packets with a specific MARK value if it is the MyDoom.A virus being transferred. I would also like a ruleset that would match if it is being transferred through SMTP. Anyone have any ideas how to do this without too many false positives? (IE a document on the web that describes the characteristics of MyDoom.A). Eliot Gable iSWAT Leader Internet Service Without Any Telephones Great Lakes Internet, Inc. 112 N Howard Ave Croswell, MI 48422 (810) 679-3395
