[Snort-users] Getting 'portscanned' by IRC servers.

Erich Meier Erich.Meier at ...99...
Tue Sep 26 13:20:00 EDT 2000

On Mon, Sep 25, 2000 at 04:14:31PM -0700, Daniel Swan wrote:
> Interesting replies from all regarding the IRC servers... I'm sure that's put more than myself at unease.  (I can't be the only IRC-ignorant person in the world!)
> So what's the best way to ignore these?  Am I putting myself at significant risk by ignoring alerts from IRC servers?
> How should I go about ignoring them?

Well, the number of IRCservers your mate is connecting to should be pretty
limited. So you could add a

# IRCd tries to backconnect to 1080 to check for open WinGates
pass tcp <IRCSERVERIP>/32 any -> $INTERNAL 1080 (flags: S;)

line for everyone of them.

As IRCservers are constantly under attack, you shouldn't run an "ignore all"
policy here.


More information about the Snort-users mailing list