[Snort-sigs] New bleeding sigs

Matthew Jonkman matt at ...2436...
Tue Jul 6 17:54:33 EDT 2004


Joel agreed, I've updated the ports on those 3 rules.

Thanks for the idea Kevin. It's updated on bleedingsnort.com.

Matt

Matthew Jonkman wrote:

> I think I might agree that we can include port 25, but I haven't tested 
> these more than a couple hours now.
> 
> Joel, I assume you had false positives with things going through email 
> on these, ya? Is that the reason for excluding 25?
> 
> It seems that you've been specific enough with your offset and depth to 
> exclude the errant email. Are we missing anything there? Is it a bad 
> idea to include 25 then?
> 
> Matt
> 
> Kevin Kolk wrote:
> 
>>
>> The IRC rules look useful but the alert messages seem a bit 
>> miss-leading to me.   They indicate they are alerting for traffic on 
>> non-standard IRC ports (6661 - 6668) but instead only exclude port 25 
>> (smtp) or monitor 'any' port.   To alert on non-standard ports only 
>> they should probably be:
>>
>> tcp any any -> any !6661:6668
>>
>> However I'm afraid that would alert for incoming IRC traffic however 
>> since that typically seems to show up as:
>>
>> tcp [irc_server] 6667 -> [client] any
>>
>> Which would tip off these rules even for normal 'standard' traffic.   
>> So maybe using:
>>
>> tcp any !6661:6668 -> any !6661:6668
>>
>> Would be better for detecting IRC traffic in non-standard ranges ? 
>> Of course depending on your network it may be better to simply alert 
>> for all IRC traffic.   In some environments it seems like almost all 
>> the IRC traffic is malicious / trojan activity.
>> Kevin
>>
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 




More information about the Snort-sigs mailing list