[Snort-sigs] Tracking IRC servers on the network.
aymenco777 at ...3390...
Sun May 6 14:11:58 EDT 2012
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC
Traffic Detected By Nick Change"; flow: to_server,established;
content:"NICK "; nocase; offset: 0; depth: 5;
flowbits:set,community_is_proto_irc; flowbits: noalert;
classtype:misc-activity; sid:100000240; rev:3;)
# Using the aforementioned is_proto_irc flowbits, do some IRC checks.
# This one looks for IRC servers running on the $HOME_NET
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal
IRC server detected"; flow: to_server,established;
flowbits:isset,community_is_proto_irc; classtype: policy-violation;
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from
internal bot"; flow: established; flowbits:isset,community_is_proto_irc;
content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;)
The above rules have been written by David
track IRC bot/server activity on any IRC port. However, the above
works fine but I have a problem with them. My problem is happening
when multiple IRC servers (some of them work on 7000 and the other work on
6667) run on the network some of them will achieve the conditions of the
rules and Snort will generate the alerts and some of them (or even one of
them) will not achieve these condition and as a result Snort wont generate
any alert related to the defined set. I think there's a kind of
inconsistency. Any suggestions on that issue? I am working on Snort 2.8.
Aymen Hassan AlAwady
Master Student of Computer Science (Distributed Computing & Networks)
School of Computer Sciences - Universiti Sains Malaysia (USM)
11800 USM, Penang,
Email: aymenh at ...3667...
P Do you really need to print this e-mail? Think globally, act locally
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs