Snort rule doesn't generate alerts when hosts responding simultaneously

[Aymen AlAwady <aymenco777 () googlemail com>]

Hi,

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown;
sid:2000346; rev:4;)

The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more than
one host responding simultaneously. I have changed the session time to 30
or 150 but no luck.

Any tips or tricks to make it efficient?

Thanks.

-Aymen

-- 
Aymen Hassan AlAwady
Master Student of Computer Science (Distributed Computing & Networks)
School of Computer Sciences - Universiti Sains Malaysia (USM)
11800 USM, Penang,
MALAYSIA
H/P: +60176181394
Email: aymenh () it kuiraq com


P Do you really need to print this e-mail? Think globally, act locally

 undefined

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!