Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tracking IRC servers on the network.

From: Aymen AlAwady <aymenco777 () googlemail com>
Date: Mon, 7 May 2012 02:11:58 +0800
Hi all,


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC
Traffic Detected By Nick Change"; flow: to_server,established;
content:"NICK "; nocase; offset: 0; depth: 5;
flowbits:set,community_is_proto_irc; flowbits: noalert;
classtype:misc-activity; sid:100000240; rev:3;)

# Using the aforementioned is_proto_irc flowbits, do some IRC checks.
# This one looks for IRC servers running on the $HOME_NET

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal
IRC server detected"; flow: to_server,established;
flowbits:isset,community_is_proto_irc; classtype: policy-violation;
sid:100000241; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from
internal bot"; flow: established; flowbits:isset,community_is_proto_irc;
content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;)

The above rules have been written by David
Bianco<http://blog.vorant.com/2006/03/detecting-common-botnets-with-snort.html>to
track IRC bot/server activity on any IRC port. However, the above
rules
works fine but I have a problem with them. My problem is happening
when multiple IRC servers (some of them work on 7000 and the other work on
6667) run on the network some of them will  achieve the conditions of the
rules and Snort will generate the alerts and some of them (or even one of
them) will not achieve these condition and as a result Snort wont generate
any alert related to the defined set. I think there's a kind of
inconsistency. Any suggestions on that issue? I am working on Snort 2.8.


Thank you.

Kind Regards,


-Aymen

-- 
Aymen Hassan AlAwady
Master Student of Computer Science (Distributed Computing & Networks)
School of Computer Sciences - Universiti Sains Malaysia (USM)
11800 USM, Penang,
MALAYSIA
H/P: +60176181394
Email: aymenh () it kuiraq com


P Do you really need to print this e-mail? Think globally, act locally

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: