[Snort-sigs] Snort rule doesn't generate alerts when hosts responding simultaneously

Balasubramaniam Natarajan bala150985 at ...2420...
Sun Mar 11 22:55:07 EDT 2012

Hi Aymen,

Ignore my previous email.

A tag is used to tag both the source and destination and capture more
packets of them rather than just one packet which triggered the alert.

In the original rule once Snort sees PRIVMSG it would have tagged x.x.x.x
going to y.y.y.y and it would have captured all alerts up to 300 seconds.

If you are interested only to see how many client systems are involved in
the bot you can changed the rule to

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; classtype:bad-unknown; sid:2000346; rev:5;)
Kindly correct me if I am wrong.

Balasubramaniam Natarajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120312/8ead37bf/attachment.html>

More information about the Snort-sigs mailing list