Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie: Bot Detection Rule

From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Fri, 22 Jun 2001 09:15:03 +0100


Brian Caswell wrote:


George Yobst wrote:

I was just reading this article about how Gibson Research
was knocked off the net ( http://grc.com/dos/grcdos.htm ).
Near the end of the article was a section on detecting these
bots.  As a new snort user, I can probably RTM and create
some rules that create an alert for ports 6667 and 113,
but how do I test it?  -George


heh.

oooooh a spy bot.  WOW!!!  You could write your own spy bot in some
super leet language like TCL or something.  Mad leet yo.

Then you too can *STOP* those *EVIL* hackers!!!!

Am I the only person that is tired of hearing about how Steve Gibson
is the greatest anti-hacker in the world?


nope, but seems that you're the only one who's over-reacting :) btw,
Bruce Schneider has a very nice article about GRC in his newsletter -

http://www.counterpane.com/crypto-gram-0106.html#6

and regarding rules - i never understood what's the use of logging all
packets going to unusual ports etc. So let's say, I've received a UDP
packet to port 666 - what am I supposed to do? Complain? (ever heard
about spoofing - especially if it's UDP?). That's why i like snort DB
logging - the only thing I can do is to log all that garbage to a
database to dig it sometimes if something really nasty starts...




alert tcp any any -> any 6667 (msg:"Evil HACKERS!!! stop the evil
HACKERS!!!";)
alert udp any any -> any 666 (msg:"We are under *ATTACK* by UDP
PACKETS!!!";)
alert icmp any any -> any any (msg:"DoS!!!  DoS!!!  We are under
attack by DoS!!!";)


heh, 3ViL L337 u :) don't be so bad to us lamers :)))

regards,
W.



-brian

.ps This is personal opinion only.  I'm talking on the behalf of
myself and myself only.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: