[Snort-users] Newbie: Bot Detection Rule

Brian Caswell bmc at ...312...
Thu Jun 21 14:56:17 EDT 2001


George Yobst wrote:
> I was just reading this article about how Gibson Research
> was knocked off the net ( http://grc.com/dos/grcdos.htm ).
> Near the end of the article was a section on detecting these
> bots.  As a new snort user, I can probably RTM and create
> some rules that create an alert for ports 6667 and 113,
> but how do I test it?  -George

heh.

oooooh a spy bot.  WOW!!!  You could write your own spy bot in some
super leet language like TCL or something.  Mad leet yo.

Then you too can *STOP* those *EVIL* hackers!!!!

Am I the only person that is tired of hearing about how Steve Gibson
is the greatest anti-hacker in the world? 

alert tcp any any -> any 6667 (msg:"Evil HACKERS!!! stop the evil
HACKERS!!!";)
alert udp any any -> any 666 (msg:"We are under *ATTACK* by UDP
PACKETS!!!";)
alert icmp any any -> any any (msg:"DoS!!!  DoS!!!  We are under
attack by DoS!!!";)

-brian

.ps This is personal opinion only.  I'm talking on the behalf of
myself and myself only.




More information about the Snort-users mailing list