Snort mailing list archives
Tracking IRC servers on the network.
From: Aymen AlAwady <aymenco777 () googlemail com>
Date: Mon, 7 May 2012 02:11:58 +0800
Hi all, alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;) # Using the aforementioned is_proto_irc flowbits, do some IRC checks. # This one looks for IRC servers running on the $HOME_NET alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from internal bot"; flow: established; flowbits:isset,community_is_proto_irc; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;) The above rules have been written by David Bianco<http://blog.vorant.com/2006/03/detecting-common-botnets-with-snort.html>to track IRC bot/server activity on any IRC port. However, the above rules works fine but I have a problem with them. My problem is happening when multiple IRC servers (some of them work on 7000 and the other work on 6667) run on the network some of them will achieve the conditions of the rules and Snort will generate the alerts and some of them (or even one of them) will not achieve these condition and as a result Snort wont generate any alert related to the defined set. I think there's a kind of inconsistency. Any suggestions on that issue? I am working on Snort 2.8. Thank you. Kind Regards, -Aymen -- Aymen Hassan AlAwady Master Student of Computer Science (Distributed Computing & Networks) School of Computer Sciences - Universiti Sains Malaysia (USM) 11800 USM, Penang, MALAYSIA H/P: +60176181394 Email: aymenh () it kuiraq com P Do you really need to print this e-mail? Think globally, act locally
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Tracking IRC servers on the network. Aymen AlAwady (May 06)