Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Out of topic: Snort rule doesn't generate alerts when hosts responding simultaneously

From: beenph <beenph () gmail com>
Date: Sat, 10 Mar 2012 22:17:13 -0500
On Sat, Mar 10, 2012 at 10:04 PM, Aymen <aymenco777 () googlemail com> wrote:

Hi all,



I know this post is out of topic of this group! I do this post because
I haven't see any active group dealing with Snort like you, and I hope
the members can help me on my issue.

My issue is:

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel
suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:bad-unknown; sid:2000346; rev:4;)

The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more
than one host responding simultaneously. I have changed the session
time to 30 or 150 but no luck.

Any tips or tricks to make it efficient?

Thank you all and sorry for any disturbing.

-Aymen


Greetings Aymen,

 i think snort-users () lists sourceforge net is pretty active for snort
question you should go there without hesitation


From my perspective it seem's that the rule is  fine but i would

change  the any any -> any any to something like

$HOME_NET any -> !$HOME_NET any msg :privmsg to irc

and write a second rule that is analog to the first one that looks exactly alike

Except for sid and  using reverse logic for the triggering flow (and
probably change the message to reflect that also)
!$HOME_NET any -> $HOME_NET any msg: privmsg from irc


Also try to use tag: session,300,src

I hope this can help you, also i forwarded the msg to snort-users so
sign up there mabey someone will respond with
more information over there!

Hope this helps.

-elz

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: