[Snort-sigs] Fwd: Snort rule doesn't generate alerts when hosts responding simultaneously

Aymen AlAwady aymenco777 at ...3390...
Sun Mar 11 22:20:18 EDT 2012


alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown;
sid:2000346; rev:4;)

The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more than
one host responding simultaneously. I have changed the session time to 30
or 150 but no luck.

Any tips or tricks to make it efficient?




P Do you really need to print this e-mail? Think globally, act locally
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120312/f6fdf619/attachment.html>

More information about the Snort-sigs mailing list