[Snort-sigs] New bleeding sigs

Matthew Jonkman matt at ...2436...
Tue Jul 6 16:03:17 EDT 2004


I think I might agree that we can include port 25, but I haven't tested 
these more than a couple hours now.

Joel, I assume you had false positives with things going through email 
on these, ya? Is that the reason for excluding 25?

It seems that you've been specific enough with your offset and depth to 
exclude the errant email. Are we missing anything there? Is it a bad 
idea to include 25 then?

Matt

Kevin Kolk wrote:

> 
> The IRC rules look useful but the alert messages seem a bit miss-leading 
> to me.   They indicate they are alerting for traffic on non-standard IRC 
> ports (6661 - 6668) but instead only exclude port 25 (smtp) or monitor 
> 'any' port.   To alert on non-standard ports only they should probably be:
> 
> tcp any any -> any !6661:6668
> 
> However I'm afraid that would alert for incoming IRC traffic however 
> since that typically seems to show up as:
> 
> tcp [irc_server] 6667 -> [client] any
> 
> Which would tip off these rules even for normal 'standard' traffic.   So 
> maybe using:
> 
> tcp any !6661:6668 -> any !6661:6668
> 
> Would be better for detecting IRC traffic in non-standard ranges ?  
> 
> Of course depending on your network it may be better to simply alert for 
> all IRC traffic.   In some environments it seems like almost all the IRC 
> traffic is malicious / trojan activity. 
> 
> Kevin
> 




More information about the Snort-sigs mailing list