[Snort-sigs] Rules sid:2000344 and following (IRC).

Chich Thierry thierry.chich at ...2579...
Mon Aug 16 01:31:03 EDT 2004

The bleeding edge rules sid:2000344 and following, that are looking for
IRC traffic on non standard-port give me huge trace.

First of all, the session time (3600 seconds) is too long. Some people
use IRC in order to transmit divx files or warez.
Secondly, some rules announce that they  track activity on non-std port
but there is nothing in the reule that check the port. In my database,
I have capture 100000 packets of a chat session, and I truly doubt that 
the user
has sent a real message in these 100000 packets.

Thierry Chich

More information about the Snort-sigs mailing list