[Snort-users] Newbie: Bot Detection Rule
cmg at ...671...
Thu Jun 21 17:52:37 EDT 2001
George Yobst <george at ...2364...> writes:
> Hi Craig,
> Sorry about the appalling lack of info. I'm running
> it on a FreeBSD 4.3 Stable with IPFilter as the FW.
> My question comes down to this:
> The rule(s) I can create, but how do I actually test
> them to make sure they work?
Generate the traffic the rule is catching.
> I'm not up to creating fake bots. I don't want to
> get one and unleash it on my network. Is there
> a way to create packets with that port number that
> I can use to run thru Snort? Something that will
> trigger the alert to make sure it works?
Telnet with the correct ports. Use netcat.
> I don't care about Gibson, the man. I do care about
> his research, and it's potentials. I want to be
> prepared for this kind of attack and I don't want
> my organization's computers to be used by the Bots.
Try http://www.undernet.org/ or something like that and get a regular
irc client and try to connect to a server. You will see identd
connections and you will see the irc signon process
You should be aware that not everyone that uses irc is a leet 15 year
old so you should see your organizations own policies before doing a
Chris Green <cmg at ...671...>
A watched process never cores.
More information about the Snort-users