[Snort-sigs] Tracking IRC servers on the network.

Aymen AlAwady aymenco777 at ...3390...
Sun May 6 14:11:58 EDT 2012


Hi all,


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC
Traffic Detected By Nick Change"; flow: to_server,established;
content:"NICK "; nocase; offset: 0; depth: 5;
flowbits:set,community_is_proto_irc; flowbits: noalert;
classtype:misc-activity; sid:100000240; rev:3;)

# Using the aforementioned is_proto_irc flowbits, do some IRC checks.
# This one looks for IRC servers running on the $HOME_NET

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal
IRC server detected"; flow: to_server,established;
flowbits:isset,community_is_proto_irc; classtype: policy-violation;
sid:100000241; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from
internal bot"; flow: established; flowbits:isset,community_is_proto_irc;
content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;)

The above rules have been written by David
Bianco<http://blog.vorant.com/2006/03/detecting-common-botnets-with-snort.html>to
track IRC bot/server activity on any IRC port. However, the above
rules
works fine but I have a problem with them. My problem is happening
when multiple IRC servers (some of them work on 7000 and the other work on
6667) run on the network some of them will  achieve the conditions of the
rules and Snort will generate the alerts and some of them (or even one of
them) will not achieve these condition and as a result Snort wont generate
any alert related to the defined set. I think there's a kind of
inconsistency. Any suggestions on that issue? I am working on Snort 2.8.


Thank you.

Kind Regards,


-Aymen

-- 
Aymen Hassan AlAwady
Master Student of Computer Science (Distributed Computing & Networks)
School of Computer Sciences - Universiti Sains Malaysia (USM)
11800 USM, Penang,
MALAYSIA
H/P: +60176181394
Email: aymenh at ...3667...


P Do you really need to print this e-mail? Think globally, act locally
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120507/acd5b964/attachment.html>


More information about the Snort-sigs mailing list