[Snort-sigs] Rules sid:2000344 and following (IRC).
thierry.chich at ...2579...
Mon Aug 16 01:31:03 EDT 2004
The bleeding edge rules sid:2000344 and following, that are looking for
IRC traffic on non standard-port give me huge trace.
First of all, the session time (3600 seconds) is too long. Some people
use IRC in order to transmit divx files or warez.
Secondly, some rules announce that they track activity on non-std port
but there is nothing in the reule that check the port. In my database,
I have capture 100000 packets of a chat session, and I truly doubt that
has sent a real message in these 100000 packets.
More information about the Snort-sigs