Re: IRC policies

["H. Morrow Long" <morrow.long () YALE EDU>]

And if you see a computer repeatedly and unsuccessfully attempting to:

        *       join a channel (e.g. #mp3-w@r3z) 4-ever
        *       use a nick or variants of the same nick
                        (particularly "hacker", "hack3993", etc.)
        *       use a particular username

particularly when the nick or username is already in use but the
computer persists
in mindless repetition -- you've probably got a bot.

Lots of PINGs and PONGs are also often a good sign but are not
necessarily.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Jun 6, 2007, at 10:45 AM, Hull, Dave wrote:

> In my past life working in a security office, the Snort signatures
> that
> monitor nick changes to a great job of tipping off machines that are
> bots. Normal users don't request nick changes as rapidly as bots. If
> you're wanting to monitor IRC or clamp down on it, pay particular
> attention and tune well your Snort or other IDS/IPS rules that
> watch for
> nick changes.
>
> YMMV.
>
> --
> Dave Hull, CISSP, CHFI
> IT Director
> KU School of Architecture & Urban Planning
> 785-864-2629
>
> "The free world says that software is the embodiment of knowledge
> about
> technology, which needs to be free in the same way that mathematics is
> free."
> -- Eben Moglen, Software Freedom Law Center