Snort mailing list archives
Re: Out of topic: Snort rule doesn't generate alerts when hosts responding simultaneously
From: beenph <beenph () gmail com>
Date: Sat, 10 Mar 2012 22:17:13 -0500
On Sat, Mar 10, 2012 at 10:04 PM, Aymen <aymenco777 () googlemail com> wrote:
Hi all,
I know this post is out of topic of this group! I do this post because I haven't see any active group dealing with Snort like you, and I hope the members can help me on my issue. My issue is: alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown; sid:2000346; rev:4;) The above rule is written to monitor bots responding messages to the botmaster. The rule is working fine, but only when one bot making the respond and there is no alert or even one alert for one host when more than one host responding simultaneously. I have changed the session time to 30 or 150 but no luck. Any tips or tricks to make it efficient? Thank you all and sorry for any disturbing. -Aymen
Greetings Aymen, i think snort-users () lists sourceforge net is pretty active for snort question you should go there without hesitation
From my perspective it seem's that the rule is fine but i would
change the any any -> any any to something like $HOME_NET any -> !$HOME_NET any msg :privmsg to irc and write a second rule that is analog to the first one that looks exactly alike Except for sid and using reverse logic for the triggering flow (and probably change the message to reflect that also) !$HOME_NET any -> $HOME_NET any msg: privmsg from irc Also try to use tag: session,300,src I hope this can help you, also i forwarded the msg to snort-users so sign up there mabey someone will respond with more information over there! Hope this helps. -elz ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Out of topic: Snort rule doesn't generate alerts when hosts responding simultaneously beenph (Mar 10)