Snort mailing list archives
RE: Re: Is this a valid rule?
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Fri, 25 Oct 2002 15:02:12 -0400
7001 is also a standard IRC port used for SSL communications. John -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Friday, October 25, 2002 2:47 PM To: SLefevre_at_i-m-i-international.com () cynosure lanl gov Cc: snort-users () lists sourceforge net Subject: [Snort-users] Re: Is this a valid rule?
I have this rule in my local rule file: alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity") (It's to detect IRC traffic ;) Why does snort always choke on it? I've looked it over 100 times and it seems to follow the syntax.
Nope. Put a ';' between the " and the ) like so: alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity";) Also, ports 6667 and 6668 are the default irc ports. 6000 - 60xx can be X server ports. I used to see hacks every week back in the dark ages where the cracker sent himself an xterm window on ports 6000-6007. Just remember that ports are not really anything more than numbers from zero to 65535. You could have an ssh server listening on port 65535 or scumbag.com sending you javascript to open up http connections to port 23 so they can learn more about your web preferences among other things. Later, Phil ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Is this a valid rule? McCammon, Keith (Oct 24)
- <Possible follow-ups>
- Re: Is this a valid rule? Phil Wood (Oct 25)
- Re: Is this a valid rule? Phil Wood (Oct 25)
- RE: Re: Is this a valid rule? Hicks, John (Oct 25)