[Snort-sigs] Re: "CHAT IRC channel join" seems wrong

Colin Grady colin.grady at ...2420...
Thu Jun 30 13:23:43 EDT 2005


That last signature had the wrong destination port designated. My
mistake. I use the !80 port definition so I can gain some visibility
to the virus/worm traffic. If you prefer the purer version of the
signature, replace !80 with the original 6666:7000 definition.

Sorry about any confusion it may have caused.

Colin


On 6/30/05, Colin Grady <colin.grady at ...2420...> wrote:
> Or even using PCRE we can see both local and global IRC channel joins:
> 
>   alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHAT IRC channel
> join"; flow:to_server,established; content:"JOIN "; nocase;
> pcre:"/^JOIN\s(#|&)[a-zA-Z0-9]+/ism"; classtype:policy-violation;
> sid:1729; rev:7;)
> 
> Colin
> 
> 
> On 6/30/05, Colin Grady <colin.grady at ...2420...> wrote:
> > According to how I understand the IRC protocol, there shouldn't be a
> > colon in the JOIN command from client to server. Looking at RFC 1459
> > confirms this. Here is the applicable section:
> >
> >   http://www.irchelp.org/irchelp/rfc/chapter4.html#c4_2_1
> >
> > Here's the current signature:
> >
> >   alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
> > channel join"; flow:to_server,established; content:"JOIN |3A| |23|";
> > offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
> >
> > I think this signature should be changed to the following:
> >
> >   alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
> > channel join"; flow:to_server,established; content:"JOIN |23|";
> > offset:0; nocase; classtype:policy-violation; sid:1729; rev:6;)
> >
> > Colin
> >
>




More information about the Snort-sigs mailing list