[Snort-sigs] iroffer IRC P2P Bot signatures

Nigel Houghton nigel at ...435...
Tue Jun 29 18:37:01 EDT 2004


On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> So would these be accurate rules then Matt W:
> 
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help message"; 
> content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 
> 65 3A 20 22 2F 6D 73 67|"; depth:500; classtype: trojan-activity; 
> sid:20046250;priority:1; flags:PA;)

Use the $HOME_NET and $EXTERNAL_NET variables along with flow instead of
flags. Don't use priority, let the classtype decide that. Also include a
reference the user can use to get more pertinent information on the issue.

> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
> depth:500; classtype: trojan-activity; sid:20046251; priority:1; flags:PA;)

same.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

"Dude, dolphins are intelligent and friendly!" -- Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman




More information about the Snort-sigs mailing list