[Snort-sigs] New bleeding sigs

Kevin Kolk kkolk at ...2595...
Tue Jul 6 15:07:01 EDT 2004


The IRC rules look useful but the alert messages seem a bit miss-leading
to me.   They indicate they are alerting for traffic on non-standard IRC
ports (6661 - 6668) but instead only exclude port 25 (smtp) or monitor
'any' port.   To alert on non-standard ports only they should probably
be:

tcp any any -> any !6661:6668

However I'm afraid that would alert for incoming IRC traffic however
since that typically seems to show up as:

tcp [irc_server] 6667 -> [client] any 

Which would tip off these rules even for normal 'standard' traffic.   So
maybe using:

tcp any !6661:6668 -> any !6661:6668 

Would be better for detecting IRC traffic in non-standard ranges ?   

Of course depending on your network it may be better to simply alert for
all IRC traffic.   In some environments it seems like almost all the IRC
traffic is malicious / trojan activity.  

Kevin

On Tue, 2004-07-06 at 17:20, Matthew Jonkman wrote:

> alert tcp any any -> any !25 (msg:"BLEEDING-EDGE IRC - Nick change on 
> non-std port"; content: "NICK "; offset:0; depth:5; nocase; dsize:<64; 
> flow:to_server,established; tag:session,300,seconds; 
> classtype:policy-violation; sid:2000344; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"BLEEDING-EDGE IRC - 
> Nick change on non-std port"; content:"NICK "; offset:0; depth:5; 
> nocase; dsize:<64; flow:to_server,established; tag:session,3600,seconds; 
> classtype:trojan-activity; sid:2000345; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET !25 (msg:"BLEEDING-EDGE IRC - 
> Name response on non-std port"; content:"\:"; offset:0; depth:1; 
> content:" 302 "; content:"=+"; content:"@"; dsize:<128; 
> flow:to_client,established; tag:session,3600,seconds; 
> classtype:trojan-activity; sid:2000346;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; 
> depth:8; dsize:<128; flow:to_server,established; 
> tag:session,3600,seconds; classtype:trojan-activity; sid:2000347; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; 
> nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; 
> tag:session,3600,seconds; classtype:trojan-activity; sid:2000348; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> DCC file transfer request on non-std port"; flow:to_server,established; 
> content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; 
> nocase; tag:session,3600,seconds; classtype:policy-violation; 
> sid:2000349; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> DCC chat request on non-std port"; flow:to_server,established; 
> content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT 
> chat"; nocase; tag:session,3600,seconds; classtype:policy-violation; 
> sid:2000350; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> channel join on non-std port"; flow:to_server,established; content:"JOIN 
> \: \#"
> ; nocase; offset:0; depth:8; tag:session,3600,seconds; 
> classtype:policy-violation; sid:2000351; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - 
> dns request on non-std port"; flow:to_server,established; 
> content:"USERHOST "; nocase; offset:0; depth:9; 
> tag:session,3600,seconds; classtype:policy-violation; sid:2000352; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040706/b58ef578/attachment.html>


More information about the Snort-sigs mailing list