Full Disclosure mailing list archives
Re: Scan for IRC
From: Kevin <kkadow () gmail com>
Date: Fri, 21 Jan 2005 19:41:02 -0600
On Fri, 21 Jan 2005 17:34:00 -0600, RandallM <randallm () fidmail com> wrote:
I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help?
Not only can an IRC server be on any port (as mentioned by Oliver Leitner), but clients can also tunnel the connection through proxies, or even fully encrypt chat sessions inside SSL, within an SSH tunnel, or in a binary packet protocol such as SILC. Assuming the communication is in the clear, you could use Snort to detect IRC communication, regardless of port. More on this topic can be found here: http://www.giac.org/practical/GSEC/Chris_Hanna_GSEC.pdf Kevin (P.S. I don't know who Chris Hanna is, but the paper seems sound.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Scan for IRC RandallM (Jan 21)
- Re: Scan for IRC Athanasius (Jan 21)
- Re: Scan for IRC Oliver Leitner (Jan 21)
- RE: Scan for IRC Nikolay Baramov (Jan 21)
- Re: RE: Scan for IRC Frank Knobbe (Jan 21)
- RE: Scan for IRC Nikolay Baramov (Jan 21)
- Re: Scan for IRC Kevin (Jan 21)
- Re: Scan for IRC Jon Hart (Jan 21)
- Re: Scan for IRC Paul Schmehl (Jan 21)
- RE: Scan for IRC ALD, Aditya, Aditya Lalit Deshmukh (Jan 22)
- Re: Scan for IRC Harry Hoffman (Jan 22)