[Snort-sigs] New bleeding sigs
matt at ...2436...
Tue Jul 6 17:54:33 EDT 2004
Joel agreed, I've updated the ports on those 3 rules.
Thanks for the idea Kevin. It's updated on bleedingsnort.com.
Matthew Jonkman wrote:
> I think I might agree that we can include port 25, but I haven't tested
> these more than a couple hours now.
> Joel, I assume you had false positives with things going through email
> on these, ya? Is that the reason for excluding 25?
> It seems that you've been specific enough with your offset and depth to
> exclude the errant email. Are we missing anything there? Is it a bad
> idea to include 25 then?
> Kevin Kolk wrote:
>> The IRC rules look useful but the alert messages seem a bit
>> miss-leading to me. They indicate they are alerting for traffic on
>> non-standard IRC ports (6661 - 6668) but instead only exclude port 25
>> (smtp) or monitor 'any' port. To alert on non-standard ports only
>> they should probably be:
>> tcp any any -> any !6661:6668
>> However I'm afraid that would alert for incoming IRC traffic however
>> since that typically seems to show up as:
>> tcp [irc_server] 6667 -> [client] any
>> Which would tip off these rules even for normal 'standard' traffic.
>> So maybe using:
>> tcp any !6661:6668 -> any !6661:6668
>> Would be better for detecting IRC traffic in non-standard ranges ?
>> Of course depending on your network it may be better to simply alert
>> for all IRC traffic. In some environments it seems like almost all
>> the IRC traffic is malicious / trojan activity.
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital
> self defense, top technical experts, no vendor pitches, unmatched
> networking opportunities. Visit www.blackhat.com
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs