Re: Snort rule doesn't generate alerts when hosts responding simultaneously

[Balasubramaniam Natarajan <bala150985 () gmail com>]

Hi Aymen,

Ignore my previous email.

A tag is used to tag both the source and destination and capture more
packets of them rather than just one packet which triggered the alert.

In the original rule once Snort sees PRIVMSG it would have tagged x.x.x.x
going to y.y.y.y and it would have captured all alerts up to 300 seconds.

If you are interested only to see how many client systems are involved in
the bot you can changed the rule to

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; classtype:bad-unknown; sid:2000346; rev:5;)
Kindly correct me if I am wrong.

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!