[Snort-sigs] Snort rule doesn't generate alerts when hosts responding simultaneously

Balasubramaniam Natarajan bala150985 at ...2420...
Sun Mar 11 22:50:11 EDT 2012


Hi Aymen,

A tag is used to tag both the source and destination and capture more
packets of them rather than just one IP address.

In the original rule once Snort sees PRIVMSG it would have tagged x.x.x.x
going to y.y.y.y and it would have captured all alerts up to 300 seconds.

If you only stuff is to see how many client systems are involved in the bot
you can changed the rule to

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; classtype:bad-unknown; sid:2000346; rev:5;)
Kindly correct me if I am wrong.


On Thu, Mar 8, 2012 at 9:21 AM, Aymen AlAwady <aymenco777 at ...3390...>wrote:

> Hi,
>
> alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
> act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
> flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown;
> sid:2000346; rev:4;)
>
> The above rule is written to monitor bots responding messages to the
> botmaster. The rule is working fine, but only when one bot making the
> respond and there is no alert or even one alert for one host when more than
> one host responding simultaneously. I have changed the session time to 30
> or 150 but no luck.
>
> Any tips or tricks to make it efficient?
>
> Thanks.
>
> -Aymen
>
> --
> Aymen Hassan AlAwady
> Master Student of Computer Science (Distributed Computing & Networks)
> School of Computer Sciences - Universiti Sains Malaysia (USM)
> 11800 USM, Penang,
> MALAYSIA
> H/P: +60176181394
> Email: aymenh at ...3667...
>
>
> P Do you really need to print this e-mail? Think globally, act locally
>
>  undefined
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120312/1c97a64a/attachment.html>


More information about the Snort-sigs mailing list