[Snort-sigs] "CHAT IRC channel join" seems wrong

Colin Grady colin.grady at ...2420...
Thu Jun 30 08:36:41 EDT 2005


According to how I understand the IRC protocol, there shouldn't be a
colon in the JOIN command from client to server. Looking at RFC 1459
confirms this. Here is the applicable section:

  http://www.irchelp.org/irchelp/rfc/chapter4.html#c4_2_1

Here's the current signature:

  alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
channel join"; flow:to_server,established; content:"JOIN |3A| |23|";
offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)

I think this signature should be changed to the following:

  alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
channel join"; flow:to_server,established; content:"JOIN |23|";
offset:0; nocase; classtype:policy-violation; sid:1729; rev:6;)

Colin




More information about the Snort-sigs mailing list