[Snort-sigs] New bleeding sigs
matt at ...2436...
Tue Jul 6 16:03:17 EDT 2004
I think I might agree that we can include port 25, but I haven't tested
these more than a couple hours now.
Joel, I assume you had false positives with things going through email
on these, ya? Is that the reason for excluding 25?
It seems that you've been specific enough with your offset and depth to
exclude the errant email. Are we missing anything there? Is it a bad
idea to include 25 then?
Kevin Kolk wrote:
> The IRC rules look useful but the alert messages seem a bit miss-leading
> to me. They indicate they are alerting for traffic on non-standard IRC
> ports (6661 - 6668) but instead only exclude port 25 (smtp) or monitor
> 'any' port. To alert on non-standard ports only they should probably be:
> tcp any any -> any !6661:6668
> However I'm afraid that would alert for incoming IRC traffic however
> since that typically seems to show up as:
> tcp [irc_server] 6667 -> [client] any
> Which would tip off these rules even for normal 'standard' traffic. So
> maybe using:
> tcp any !6661:6668 -> any !6661:6668
> Would be better for detecting IRC traffic in non-standard ranges ?
> Of course depending on your network it may be better to simply alert for
> all IRC traffic. In some environments it seems like almost all the IRC
> traffic is malicious / trojan activity.
More information about the Snort-sigs