[Snort-sigs] Rules sid:2000344 and following (IRC).

Chich Thierry thierry.chich at ...2579...
Tue Aug 17 13:50:03 EDT 2004


Matthew Jonkman wrote:

> I agree with you on the 3600 second tag. That might be excessive. I've 
> changed them all to 300.
>
> Not sure what you're saying on point number 2. Can you elaborate?
>
> Thanks
>
> Matt


OK.

These are the rules submitted by Joel Esler.

The 2 firsts rules are taking care of the destination port. The third 
one seems dubious for me. 
Perhaps it should be  "alert tcp $EXTERNAL_NET !6661:6668-> $HOME_NET 
any" or
" alert tcp $HOME_NET any->$EXTERNAL_NET !6661:6668"

The rules following (2000347 and following) are not including criteria  
on the destination port (any).


#Submitted by Joel Esler
alert tcp any any -> any !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick 
change on non-std port"; content: "NICK "; offset:0;depth:5; nocase; 
dsize:<64; flow:to_server,established; tag:session,300,seconds; 
classtype:policy-violation; sid:2000344; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE 
IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5; 
nocase; dsize:<64; flow:to_server,established; tag:session,3600,seconds; 
classtype:trojan-activity; sid:2000345; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET !6661:6668 (msg:"BLEEDING-EDGE 
IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1; 
content:" 302 "; content:"=+"; content:"@"; dsize:<128; 
flow:to_client,established; tag:session,3600,seconds; 
classtype:trojan-activity; sid:2000346; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
Private message on non-std port"; content:"PRIVMSG "; nocase;offset:0; 
depth:8; dsize:<128; flow:to_server,established; 
tag:session,3600,seconds; classtype:trojan-activity; sid:2000347; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; 
nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; 
tag:session,3600,seconds; classtype:trojan-activity; sid:2000348; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
DCC file transfer request on non-std port"; flow:to_server,established; 
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; 
nocase; tag:session,3600,seconds; classtype:policy-violation; 
sid:2000349; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -  
DCC chat request on non-std port"; flow:to_server,established; 
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT 
chat"; nocase; tag:session,3600,seconds; classtype:policy-violation; 
sid:2000350; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
channel join on non-std port"; flow:to_server,established; content:"JOIN 
\: \#"; nocase; offset:0; depth:8; tag:session,3600,seconds; 
classtype:policy-violation; sid:2000351; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
dns request on non-std port"; flow:to_server,established; 
content:"USERHOST "; nocase; offset:0; depth:9; 
tag:session,3600,seconds; classtype:policy-violation; sid:2000352; rev:1;)


Thierry Chich

>
>
> Chich Thierry wrote:
>
>> The bleeding edge rules sid:2000344 and following, that are looking for
>> IRC traffic on non standard-port give me huge trace.
>>
>> First of all, the session time (3600 seconds) is too long. Some people
>> use IRC in order to transmit divx files or warez.
>> Secondly, some rules announce that they  track activity on non-std port
>> but there is nothing in the reule that check the port. In my database,
>> I have capture 100000 packets of a chat session, and I truly doubt 
>> that the user
>> has sent a real message in these 100000 packets.
>>
>> Thierry Chich
>>
>>




More information about the Snort-sigs mailing list