[Snort-sigs] Rules sid:2000344 and following (IRC).

Matthew Jonkman matt at ...2436...
Tue Aug 17 16:34:38 EDT 2004


Chich Thierry wrote:
> These are the rules submitted by Joel Esler.
> 
> The 2 firsts rules are taking care of the destination port. The third 
> one seems dubious for me. Perhaps it should be  "alert tcp $EXTERNAL_NET 
> !6661:6668-> $HOME_NET any" or
> " alert tcp $HOME_NET any->$EXTERNAL_NET !6661:6668"
> 

I think you're probably right there, but I'll leave that to Joel to 
comment on since he wrote the rule.

> The rules following (2000347 and following) are not including criteria  
> on the destination port (any).

You're definitely right there. I'll make the changes in cvs in a few 
moments. They'll surely be up by the time this email makes it across the 
list.

Thanks for the corrections Chich.

Matt

> 
> 
> #Submitted by Joel Esler
> alert tcp any any -> any !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick 
> change on non-std port"; content: "NICK "; offset:0;depth:5; nocase; 
> dsize:<64; flow:to_server,established; tag:session,300,seconds; 
> classtype:policy-violation; sid:2000344; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE 
> IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5; 
> nocase; dsize:<64; flow:to_server,established; tag:session,3600,seconds; 
> classtype:trojan-activity; sid:2000345; rev:2;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET !6661:6668 (msg:"BLEEDING-EDGE 
> IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1; 
> content:" 302 "; content:"=+"; content:"@"; dsize:<128; 
> flow:to_client,established; tag:session,3600,seconds; 
> classtype:trojan-activity; sid:2000346; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> Private message on non-std port"; content:"PRIVMSG "; nocase;offset:0; 
> depth:8; dsize:<128; flow:to_server,established; 
> tag:session,3600,seconds; classtype:trojan-activity; sid:2000347; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; 
> nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; 
> tag:session,3600,seconds; classtype:trojan-activity; sid:2000348; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> DCC file transfer request on non-std port"; flow:to_server,established; 
> content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; 
> nocase; tag:session,3600,seconds; classtype:policy-violation; 
> sid:2000349; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -  
> DCC chat request on non-std port"; flow:to_server,established; 
> content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT 
> chat"; nocase; tag:session,3600,seconds; classtype:policy-violation; 
> sid:2000350; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> channel join on non-std port"; flow:to_server,established; content:"JOIN 
> \: \#"; nocase; offset:0; depth:8; tag:session,3600,seconds; 
> classtype:policy-violation; sid:2000351; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> dns request on non-std port"; flow:to_server,established; 
> content:"USERHOST "; nocase; offset:0; depth:9; 
> tag:session,3600,seconds; classtype:policy-violation; sid:2000352; rev:1;)
> 
> 




More information about the Snort-sigs mailing list