<p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

Hi,</p><p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown; sid:2000346; rev:4;)</p>

<p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

The above rule is written to monitor bots responding messages to the botmaster. The rule is working fine, but only when one bot making the respond and there is no alert or even one alert for one host when more than one host responding simultaneously. I have changed the session time to 30 or 150 but no luck.</p>

<p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

Any tips or tricks to make it efficient?</p><p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

Thanks.</p><p style="margin-top:0px;margin-right:0px;margin-bottom:1em;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:14px;vertical-align:baseline;background-image:initial;background-color:rgb(255,255,255);clear:both;word-wrap:break-word;font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px;text-align:left">

-Aymen</p><div><br></div>-- <br>Aymen Hassan AlAwady<div><div><span style="font-family:'Times New Roman';font-size:medium"><font face="arial" style="text-indent:0px!important;font-size:small">Master Student of Computer Science (</font></span><span style="font-family:'Times New Roman';font-size:medium"><span style="text-indent:0px!important;font-family:Verdana,Arial;border-collapse:collapse;line-height:12px;font-size:small">Distributed Computing & Networks</span></span><span style="font-family:'Times New Roman';font-size:medium"><font face="arial" style="text-indent:0px!important;font-size:small">) </font></span><div style="text-indent:0px!important;font-family:arial;font-size:small">

School of Computer Sciences - Universiti Sains Malaysia (USM)</div><div style="text-indent:0px!important;font-family:'Times New Roman';font-size:medium"><span style="text-indent:0px!important;line-height:20px"><font face="Arial" size="2" style="text-indent:0px!important;font-size:10pt">11800 USM, Penang,<br style="text-indent:0px!important;line-height:20px">

MALAYSIA</font></span><br style="text-indent:0px!important"><div style="text-indent:0px!important;font-family:arial;font-size:small">H/P: +60176181394<br style="text-indent:0px!important">Email: <a href="mailto:aymenh@...3667..." style="text-indent:0px!important" target="_blank">aymenh@...3667...</a><br style="text-indent:0px!important">

</div><div style="text-indent:0px!important;font-family:arial;font-size:small"><br style="text-indent:0px!important"></div><div style="text-indent:0px!important;font-family:arial;font-size:small"><br style="text-indent:0px!important">

</div><div style="text-indent:0px!important;font-family:arial;font-size:small"><span style="text-indent:0px!important;font-family:arial,sans-serif;font-size:13px;border-collapse:collapse;color:rgb(51,51,51)"><font size="2" color="green" face="Webdings" style="text-indent:0px!important"><span style="text-indent:0px!important;font-size:10pt;font-family:Webdings;color:green">P</span></font><font size="2" color="navy" face="Arial" style="text-indent:0px!important"><span style="text-indent:0px!important;font-size:10pt;font-family:Arial;color:navy"> </span></font><font size="2" color="green" face="Tahoma" style="text-indent:0px!important"><span lang="EN-US" style="text-indent:0px!important;font-size:10pt;font-family:Tahoma;color:green">Do you really need to print this e-mail? Think globally, act locally</span></font></span></div>

</div></div></div><br>
<div id="-chrome-auto-translate-plugin-dialog" style="background-image:initial!important;background-color:transparent!important;padding-top:0px!important;padding-right:0px!important;padding-bottom:0px!important;padding-left:0px!important;margin-top:0px!important;margin-right:0px!important;margin-bottom:0px!important;margin-left:0px!important;overflow-x:visible!important;overflow-y:visible!important;text-align:left!important;background-repeat:initial initial!important">

undefined</div>