Hi all,<div><br></div><div><br></div><div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;)</div>

<div><br></div><div># Using the aforementioned is_proto_irc flowbits, do some IRC checks.</div><div># This one looks for IRC servers running on the $HOME_NET</div><div><br></div><div>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;)</div>

<div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from internal bot"; flow: established; flowbits:isset,community_is_proto_irc; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;)</div>

<div><br></div><div>The above rules have been written by <a href="http://blog.vorant.com/2006/03/detecting-common-botnets-with-snort.html">David Bianco</a> to track IRC bot/server activity on any IRC port. However, the above rules works fine but I have a problem with them. My problem is happening when multiple IRC servers (some of them work on 7000 and the other work on 6667) run on the network some of them will  achieve the conditions of the rules and Snort will generate the alerts and some of them (or even one of them) will not achieve these condition and as a result Snort wont generate any alert related to the defined set. I think there's a kind of inconsistency. Any suggestions on that issue? I am working on Snort 2.8.</div>

<div><br></div><div><br></div><div>Thank you.</div><div><br></div><div>Kind Regards,</div><div><br></div><div><br></div><div>-Aymen</div><div><br></div>-- <br>Aymen Hassan AlAwady<div><div><span style="font-family:'Times New Roman';font-size:medium"><font face="arial" style="text-indent:0px!important;font-size:small">Master Student of Computer Science (</font></span><span style="font-family:'Times New Roman';font-size:medium"><span style="text-indent:0px!important;font-family:Verdana,Arial;border-collapse:collapse;line-height:12px;font-size:small">Distributed Computing & Networks</span></span><span style="font-family:'Times New Roman';font-size:medium"><font face="arial" style="text-indent:0px!important;font-size:small">) </font></span><div style="text-indent:0px!important;font-family:arial;font-size:small">

School of Computer Sciences - Universiti Sains Malaysia (USM)</div><div style="text-indent:0px!important;font-family:'Times New Roman';font-size:medium"><span style="text-indent:0px!important;line-height:20px"><font face="Arial" size="2" style="text-indent:0px!important;font-size:10pt">11800 USM, Penang,<br style="text-indent:0px!important;line-height:20px">

MALAYSIA</font></span><br style="text-indent:0px!important"><div style="text-indent:0px!important;font-family:arial;font-size:small">H/P: +60176181394<br style="text-indent:0px!important">Email: <a href="mailto:aymenh@...3667..." style="text-indent:0px!important" target="_blank">aymenh@...3667...</a><br style="text-indent:0px!important">

</div><div style="text-indent:0px!important;font-family:arial;font-size:small"><br style="text-indent:0px!important"></div><div style="text-indent:0px!important;font-family:arial;font-size:small"><br style="text-indent:0px!important">

</div><div style="text-indent:0px!important;font-family:arial;font-size:small"><span style="text-indent:0px!important;font-family:arial,sans-serif;font-size:13px;border-collapse:collapse;color:rgb(51,51,51)"><font size="2" color="green" face="Webdings" style="text-indent:0px!important"><span style="text-indent:0px!important;font-size:10pt;font-family:Webdings;color:green">P</span></font><font size="2" color="navy" face="Arial" style="text-indent:0px!important"><span style="text-indent:0px!important;font-size:10pt;font-family:Arial;color:navy"> </span></font><font size="2" color="green" face="Tahoma" style="text-indent:0px!important"><span lang="EN-US" style="text-indent:0px!important;font-size:10pt;font-family:Tahoma;color:green">Do you really need to print this e-mail? Think globally, act locally</span></font></span></div>

</div></div></div><br>
</div>