[Snort-sigs] Re: "CHAT IRC channel join" seems wrong

Colin Grady colin.grady at ...2420...
Thu Jun 30 08:57:35 EDT 2005


Or even using PCRE we can see both local and global IRC channel joins:

  alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHAT IRC channel
join"; flow:to_server,established; content:"JOIN "; nocase;
pcre:"/^JOIN\s(#|&)[a-zA-Z0-9]+/ism"; classtype:policy-violation;
sid:1729; rev:7;)

Colin


On 6/30/05, Colin Grady <colin.grady at ...2420...> wrote:
> According to how I understand the IRC protocol, there shouldn't be a
> colon in the JOIN command from client to server. Looking at RFC 1459
> confirms this. Here is the applicable section:
> 
>   http://www.irchelp.org/irchelp/rfc/chapter4.html#c4_2_1
> 
> Here's the current signature:
> 
>   alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
> channel join"; flow:to_server,established; content:"JOIN |3A| |23|";
> offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
> 
> I think this signature should be changed to the following:
> 
>   alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
> channel join"; flow:to_server,established; content:"JOIN |23|";
> offset:0; nocase; classtype:policy-violation; sid:1729; rev:6;)
> 
> Colin
>




More information about the Snort-sigs mailing list